Multi root certs support

Viktor Dukhovni openssl-users at dukhovni.org
Fri Mar 11 14:47:36 UTC 2022


> On 11 Mar 2022, at 8:49 am, Tomas Mraz <tomas at openssl.org> wrote:
> 
> Yes, this is a fully supported scenario.
> 
> You can even test it with the openssl s_server command - use -cert, -
> key, and -cert_chain for the first certificate and -dcert, -dkey, and -
> dcert_chain with the second one.

Note that with e.g. SMTP, where some sites also publish DANE
TLSA records, when multiple certificates are configured, multiple
corresponding TLSA records need to be published:

 https://mail.sys4.de/pipermail/dane-users/2017-August/000416.html
 https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html

At the API level you can call `SSL_CTX_use_cert_and_key(3)` multiple
times, once per algorithm.  If `replace` is zero and keys for the same
algorithm are provided more than once an error is reported.  For example:

  https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_certkey.c#L152-L181
  https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_use_cert_and_key.html

The keys, cert and chain are copied by OpenSSL, so you need to free your
copy when no longer needed.

-- 
	Viktor.



More information about the openssl-users mailing list