DOC: configuration: clarify 'default-crt' and implicit default certificates

Clarify the behavior of implicit default certificates when used on the
same line as the default-crt keyword.

Should be backported as far as 3.2

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 5298a239a9fbeaa79b2ca591f78596c13f04c368..da4471cf6d9887f65a9b42b003ba0e822430d38e 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -16611,9 +16611,13 @@ crt-list <file>
 
 default-crt <cert>
   This option does the same as the "crt" option, with the difference that this
-  certificate will be used as a default one. It is possible to add multiple
-  default certificates to have an ECDSA and an RSA one, having more is not
-  really useful.
+  certificate will be used as a default one as well. It is possible to add
+  multiple default certificates to have an ECDSA and an RSA one, having more is
+  not really useful.
+
+  This option does not disable implicit default certificates, if a 'crt'
+  certificate is declared first before any 'default-crt' or other 'crt' it will
+  still be used as a default certificate.
 
   A default certificate is used when no "strict-sni" option is used on the bind
   line. A default certificate is provided when the servername extension was not
@@ -16622,8 +16626,12 @@ default-crt <cert>
 
   Example:
 
+     # this bind line has 2 default certificates
      bind *:443 default-crt foobar.pem.rsa default-crt foobar.pem.ecdsa crt website.pem.rsa
 
+     # this bind line has 3 default certificates
+     bind *:443 crt website.pem.rsa default-crt foobar.pem.rsa default-crt foobar.pem.ecdsa
+
   See also the "crt" keyword.
 
 curves <curves>