Automatic https: How to use dual certificates

The problem I’m having:

I have a site that some clients need to connect to with RSA certificates. I still want the more modern clients to be able to connect with ECC. All other sites use ECC only.
How do I configure that one site with dual certificates?

Caddy version:

v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

You can use the tls directive for the “special” sites to use an RSA key:

If I read the definition correctly

key_type  ed25519 | p256 | p384 | rsa2048 | rsa4096

this would not make caddy grab both certificates, correct?

special.example.com {
    tls {
        key_type  p256 | rsa4096
    }
    respond "OK" 200
}

It’s not currently possible to automate issuance of two certs for the same subject with different key types. One problem is the storage key does not differentiate itself based on the key type, so it’s not possible to store two sets of cert/key pairs for a particular subject currently.

It should be possible to load two different cert/key pairs that you provide yourself to Caddy. You’d have to use JSON config though, the Caddyfile doesn’t support configuring this right now (because nobody’s really needed it, it’s very niche). This had been requested in Multiple certificate support (e.g. ECDSA & RSA) · Issue #1575 · caddyserver/caddy · GitHub.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.