DOC: configuration: clarify 'default-crt' and implicit default certificates

Clarify the behavior of implicit default certificates when used on the same line as the default-crt keyword. Should be backported as far as 3.2
2025-09-20 13:21:29 +02:00 · 2025-08-27 17:09:02 +02:00 · 2025-08-27 17:09:02 +02:00 · 2ed515c632
commit 2ed515c632
parent ab7358b366
1 changed files with 11 additions and 3 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -16611,9 +16611,13 @@ crt-list <file>

 default-crt <cert>
  This option does the same as the "crt" option, with the difference that this
-  certificate will be used as a default one. It is possible to add multiple
-  default certificates to have an ECDSA and an RSA one, having more is not
-  really useful.
+  certificate will be used as a default one as well. It is possible to add
+  multiple default certificates to have an ECDSA and an RSA one, having more is
+  not really useful.
+
+  This option does not disable implicit default certificates, if a 'crt'
+  certificate is declared first before any 'default-crt' or other 'crt' it will
+  still be used as a default certificate.

  A default certificate is used when no "strict-sni" option is used on the bind
  line. A default certificate is provided when the servername extension was not
@ -16622,8 +16626,12 @@ default-crt <cert>

  Example:

+     # this bind line has 2 default certificates
     bind *:443 default-crt foobar.pem.rsa default-crt foobar.pem.ecdsa crt website.pem.rsa

+     # this bind line has 3 default certificates
+     bind *:443 crt website.pem.rsa default-crt foobar.pem.rsa default-crt foobar.pem.ecdsa
+
  See also the "crt" keyword.

 curves <curves>