Dual certificate

[Timo Sirainen]

On 02 Mar 2016, at 10:02, Jean-Baptiste Vignaud <flint42 at gmail.com> wrote:
> 
> Hello all;
> 
> 
> Is anyone knows if it's possible to have a dual certificate setup on
> dovecot like in postfix or apache ?
> 
> i tried to add several crts in local name section  :
> 
> local_name imap.server.tdl {
> ssl_cert = <server_rsa_crt.pem
> ssl_key = <server_rsa_key.pem
> ssl_cert = <server_ecdsa_crt.pem
> ssl_key = <server_ecdsa_key.pem
> }
> 
> but it seems that dovecot takes the last one (ecdsa) and that rsa cert is
> not used.

Would it work if you had a single .pem file containing both certs and a single file containing both keys?

> In apache we have to duplicate the cert / key lines one for rsa, one for
> edcda.
> 
> In postfix, we have some specific ecdsa conf keys.
> 
> So is there a way to do the same in dovecot ?

Looks like from OpenSSL code point of view the same cert/key loading functions can simply be called multiple times. There's currently no way to trigger that in Dovecot. But maybe the single .pem file would happen to work as well? If not, this would need some config changes and I'm not sure what would be the nicest way..