#
# ssl_multicert.config
#
# Documentation:
#    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/ssl_multicert.config.en.html
#
# Allows a TLS certificate and private key to be tied to a specific
# hostname or IP address. At load time, the certificate is parsed to
# extract the subject CN and all the DNS subjectAltNames.  The
# certificate will be presented for connections requesting any of the
# hostnames found in the certificate. Wildcard names in the certificates
# are supported, but only of the form '*.domain.com', ie. where '*'
# is the leftmost domain component.
#
# The certificate file path, CA path and key path specified in
# records.config will be used for all certificates, CAs and keys
# specified here.
#
# Fields:
#
# dest_ip=ADDRESS
#   The IP (v4 or v6) address that the certificate should be presented
#   on. This is now only used as a fallback in the case that the TLS
#   SubjectNameIndication extension is not supported. If ADDRESS is
#   '*', the certificate will be used as the default fallback if no
#   other match can be made.
#
#   The address specified here can contain a port specifier, in which
#   case the corresponding certificate will only match for connections
#   accepted on the specified port. IPv6 addresses must be enclosed by
#   square brackets if they have a port, eg, [::1]:80.
#
# ssl_key_name=FILENAME
#   The name of the file containing the private key for this certificate.
#   If the key is contained in the certificate file, this field can be
#   omitted.
#
# ssl_ca_name=FILENAME
#   If your certificates have different Certificate Authorities, you
#   can optionally specify the corresponding file here.
#
# ssl_cert_name=FILENAME
#   The name of the file containing the TLS certificate. This is the
#   only field that is required to be present.
#
# ssl_key_dialog=[builtin|exec:/path/to/program]
#   Method used to provide a pass phrase for encrypted private keys.
#   Two options are supported: builtin and exec
#     builtin - Requests passphrase via stdin/stdout. Useful for debugging.
#     exec: - Executes a program and uses the stdout output for the pass
#       phrase.
#
# action=[tunnel]
#   If the tunnel matches this line, traffic server will not participate
#   in the handshake.  But rather it will blind tunnel the SSL connection.
#   If the connection is identified by server name, an openSSL patch must
#   be applied to enable this functionality.  See TS-3006 for details.
#
# Examples:
#   ssl_cert_name=foo.pem
#   dest_ip=*	ssl_cert_name=bar.pem ssl_key_name=barKey.pem
#   dest_ip=209.131.48.79	ssl_cert_name=server.pem ssl_key_name=serverKey.pem
#   dest_ip=10.0.0.1:99 ssl_cert_name=port99.pem
#   ssl_cert_name=foo.pem ssl_key_dialog="exec:/usr/bin/mypass foo 'ba r'"
#   ssl_cert_name=foo.pem action=tunnel
#   ssl_cert_name=wildcardcert.pem ssl_key_name=privkey.pem