From 2ed515c632db1ea70867c57487fbf34040786cc4 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Wed, 27 Aug 2025 17:09:02 +0200 Subject: [PATCH] DOC: configuration: clarify 'default-crt' and implicit default certificates Clarify the behavior of implicit default certificates when used on the same line as the default-crt keyword. Should be backported as far as 3.2 --- doc/configuration.txt | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 5298a239a..da4471cf6 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -16611,9 +16611,13 @@ crt-list default-crt This option does the same as the "crt" option, with the difference that this - certificate will be used as a default one. It is possible to add multiple - default certificates to have an ECDSA and an RSA one, having more is not - really useful. + certificate will be used as a default one as well. It is possible to add + multiple default certificates to have an ECDSA and an RSA one, having more is + not really useful. + + This option does not disable implicit default certificates, if a 'crt' + certificate is declared first before any 'default-crt' or other 'crt' it will + still be used as a default certificate. A default certificate is used when no "strict-sni" option is used on the bind line. A default certificate is provided when the servername extension was not @@ -16622,8 +16626,12 @@ default-crt Example: + # this bind line has 2 default certificates bind *:443 default-crt foobar.pem.rsa default-crt foobar.pem.ecdsa crt website.pem.rsa + # this bind line has 3 default certificates + bind *:443 crt website.pem.rsa default-crt foobar.pem.rsa default-crt foobar.pem.ecdsa + See also the "crt" keyword. curves