configs/ssl_multicert.config.default - trafficserver - Git at Google

 #
 # ssl_multicert.config
 #
 # Documentation:
 #    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/ssl_multicert.config.en.html
 #
 # Allows a TLS certificate and private key to be tied to a specific
 # hostname or IP address. At load time, the certificate is parsed to
 # extract the subject CN and all the DNS subjectAltNames.  The
 # certificate will be presented for connections requesting any of the
 # hostnames found in the certificate. Wildcard names in the certificates
 # are supported, but only of the form '*.domain.com', ie. where '*'
 # is the leftmost domain component.
 #
 # The certificate file path, CA path and key path specified in
 # records.config will be used for all certificates, CAs and keys
 # specified here.
 #
 # Fields:
 #
 # dest_ip=ADDRESS
 #   The IP (v4 or v6) address that the certificate should be presented
 #   on. This is now only used as a fallback in the case that the TLS
 #   ServerNameIndication extension is not supported. If ADDRESS is
 #   '*', the certificate will be used as the default fallback if no
 #   other match can be made.
 #
 #   The address specified here can contain a port specifier, in which
 #   case the corresponding certificate will only match for connections
 #   accepted on the specified port. IPv6 addresses must be enclosed by
 #   square brackets if they have a port, eg, [::1]:80.
 #
 # ssl_key_name=FILENAME
 #   The name of the file containing the private key for this certificate.
 #   If the key is contained in the certificate file, this field can be
 #   omitted.
 #
 # ssl_ca_name=FILENAME
 #   If your certificates have different Certificate Authorities, you
 #   can optionally specify the corresponding file here.
 #
 # ssl_cert_name=FILENAME
 #   The name of the file containing the TLS certificate. This is the
 #   only field that is required to be present.
 #
 # ssl_key_dialog=[builtin|exec:/path/to/program]
 #   Method used to provide a pass phrase for encrypted private keys.
 #   Two options are supported: builtin and exec
 #     builtin - Requests passphrase via stdin/stdout. Useful for debugging.
 #     exec: - Executes a program and uses the stdout output for the pass
 #       phrase.
 #
 # action=[tunnel]
 #   If the tunnel matches this line, traffic server will not participate
 #   in the handshake.  But rather it will blind tunnel the SSL connection.
 #   If the connection is identified by server name, an openSSL patch must
 #   be applied to enable this functionality.  See TS-3006 for details.
 #
 # Examples:
 #   ssl_cert_name=foo.pem
 #   dest_ip=*	ssl_cert_name=bar.pem ssl_key_name=barKey.pem
 #   dest_ip=209.131.48.79	ssl_cert_name=server.pem ssl_key_name=serverKey.pem
 #   dest_ip=10.0.0.1:99 ssl_cert_name=port99.pem
 #   ssl_cert_name=foo.pem ssl_key_dialog="exec:/usr/bin/mypass foo 'ba r'"
 #   ssl_cert_name=foo.pem action=tunnel
 #   ssl_cert_name=wildcardcert.pem ssl_key_name=privkey.pem
	#
	# ssl_multicert.config
	#
	# Documentation:
	# https://docs.trafficserver.apache.org/en/latest/admin-guide/files/ssl_multicert.config.en.html
	#
	# Allows a TLS certificate and private key to be tied to a specific
	# hostname or IP address. At load time, the certificate is parsed to
	# extract the subject CN and all the DNS subjectAltNames. The
	# certificate will be presented for connections requesting any of the
	# hostnames found in the certificate. Wildcard names in the certificates
	# are supported, but only of the form '.domain.com', ie. where ''
	# is the leftmost domain component.
	#
	# The certificate file path, CA path and key path specified in
	# records.config will be used for all certificates, CAs and keys
	# specified here.
	#
	# Fields:
	#
	# dest_ip=ADDRESS
	# The IP (v4 or v6) address that the certificate should be presented
	# on. This is now only used as a fallback in the case that the TLS
	# ServerNameIndication extension is not supported. If ADDRESS is
	# '*', the certificate will be used as the default fallback if no
	# other match can be made.
	#
	# The address specified here can contain a port specifier, in which
	# case the corresponding certificate will only match for connections
	# accepted on the specified port. IPv6 addresses must be enclosed by
	# square brackets if they have a port, eg, [::1]:80.
	#
	# ssl_key_name=FILENAME
	# The name of the file containing the private key for this certificate.
	# If the key is contained in the certificate file, this field can be
	# omitted.
	#
	# ssl_ca_name=FILENAME
	# If your certificates have different Certificate Authorities, you
	# can optionally specify the corresponding file here.
	#
	# ssl_cert_name=FILENAME
	# The name of the file containing the TLS certificate. This is the
	# only field that is required to be present.
	#
	# ssl_key_dialog=[builtin\|exec:/path/to/program]
	# Method used to provide a pass phrase for encrypted private keys.
	# Two options are supported: builtin and exec
	# builtin - Requests passphrase via stdin/stdout. Useful for debugging.
	# exec: - Executes a program and uses the stdout output for the pass
	# phrase.
	#
	# action=[tunnel]
	# If the tunnel matches this line, traffic server will not participate
	# in the handshake. But rather it will blind tunnel the SSL connection.
	# If the connection is identified by server name, an openSSL patch must
	# be applied to enable this functionality. See TS-3006 for details.
	#
	# Examples:
	# ssl_cert_name=foo.pem
	# dest_ip=* ssl_cert_name=bar.pem ssl_key_name=barKey.pem
	# dest_ip=209.131.48.79 ssl_cert_name=server.pem ssl_key_name=serverKey.pem
	# dest_ip=10.0.0.1:99 ssl_cert_name=port99.pem
	# ssl_cert_name=foo.pem ssl_key_dialog="exec:/usr/bin/mypass foo 'ba r'"
	# ssl_cert_name=foo.pem action=tunnel
	# ssl_cert_name=wildcardcert.pem ssl_key_name=privkey.pem