Multiple Certs and Keys

Yick Xie yick.xie at
Thu May 5 06:12:19 PDT 2016

Hello Nikos,

A little confused about it. Since even I self-signed the another CNAME
domain, I still cannot get rid of the risk of domain resolution,
right? Can ocserv tell apart via CN(common name) and deliver the cert
according to IP-visit or domain-visit? The IP cert has already been
issued with a IP CN, and the cert with a domain CN; but they all share
one private RSA key. Do you think the best solution is to re-issue the
IP cert with a ECC key? or I shall mark different "server-cert=xxx"
strings, such as server-cert=,
server-cert=domain.tld.pem? I think haproxy SNI feature probably could
handle this scene, but without support of client certificates, am I
right? By the way if a server got 2 public IPv4, 1 private IPv4 and
couples of IPv6, can we handle them properly at the same time with
domain certs?  It's believed the ocserv may load and maintain a list
of CN.


2016-05-05 15:37 GMT+08:00 Nikos Mavrogiannopoulos
<n.mavrogiannopoulos at>:
> On Wed, May 4, 2016 at 10:19 AM, Yick Xie <yick.xie at> wrote:
>> Hello,
>> Does ocserv support multiple certs and keys on one server?
> Yes, but they have to by either different type (ECC vs RSA) or have
> different host names set. That way ocserv would know how to serve each
> certificate on each connection. For the case you describe you could
> make an alias (CNAME) of your server address for the users to fallback
> and mark the fallback certificate with that name.
> regards,
> Nikos

More information about the openconnect-devel mailing list