> On 11 Mar 2022, at 8:49 am, Tomas Mraz <to...@openssl.org> wrote: > > Yes, this is a fully supported scenario. > > You can even test it with the openssl s_server command - use -cert, - > key, and -cert_chain for the first certificate and -dcert, -dkey, and - > dcert_chain with the second one.
Note that with e.g. SMTP, where some sites also publish DANE TLSA records, when multiple certificates are configured, multiple corresponding TLSA records need to be published: https://mail.sys4.de/pipermail/dane-users/2017-August/000416.html https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html At the API level you can call `SSL_CTX_use_cert_and_key(3)` multiple times, once per algorithm. If `replace` is zero and keys for the same algorithm are provided more than once an error is reported. For example: https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_certkey.c#L152-L181 https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_use_cert_and_key.html The keys, cert and chain are copied by OpenSSL, so you need to free your copy when no longer needed. -- Viktor.
