[RFE - VirtualServer] Support for 2 (or more) certificates

[mariusz-gomse-centra]

Discussed in #5101

Currently VirtualServer CRD provide possibility to add easily only 1 tls secret. In my case (see discussion link above) I wanted to have RSA & ECDSA cyphers so 2 tls secrets were needed.

I found a workaround (using 2nd VirtualServer and snippets in the 1st one - see discussion) however it will be nice to be able to add more than 1 tls secret for VS - sometimes it can be even 3 (RSA, ECDSA, DH)

References:

• https://stackoverflow.com/questions/63728714/nginx-not-supporting-tls1-2-ciphers

[brianehlert]

@jasonwilliams14 can you please suggest the proper nginx.conf syntax that we need to achieve?
And include details if there is certificate ordering that we need to consider.

[jasonwilliams14]

It is not uncommon for users to want to support both RSA and ECDSA certificates in NGINX.
ECDSA certificates have some advantages including being smaller.
This would allow customers to use both types of certs in their setup.
This would be a feature request (RFE) to allow NGINX Ingress controller to use multiple certificates in the server blocks.

The output of the nginx.conf would be something similar to the following:

# multiple certs and private keys example
ssl_certificate		/etc/nginx/ssl/ecdsa.pem;
ssl_certificate_key	/etc/nginx/ssl/ecdsa.key;
ssl_certificate		/etc/nginx/ssl/rsa.pem;
ssl_certificate_key	/etc/nginx/ssl/rsa.key;

Essentially, we add an additional ssl_certificate and ssl_certificate_key to the server block.
One would point to say and RSA cert and key.
The second would point to a ECDSA cert and key.

We would need to extend the resource to add the option to add multiple certs and generate the appropriate .conf.

[jasonwilliams14]

@mariusz-gomse-centra Thanks for the information again. We are planning on adding this capability as part of the product and are currently going through the planning phases. We do not have an ETA on when we will be releasing it, so keep an eye on our our releases page and notes. You can also monitor our issues when the story is written to see how we are progressing. Thank you again!