> Similar question for certs with SANs - does it consider the > alternative names in the selection process?
Yes, as per the doc: > The certificates will be presented to clients who provide a > valid TLS Server Name Indication field matching one of > their CN or *alt subjects*. > And lastly, what if I want "everything without a specific cert to > use cert X, even though hostname doesn't match". Unless you use strict-sni [1], there will be default certificate, which is used in case the client doesn't provide a SNI value. If you really have exotic requirements, you can just map the certificates yourself with a crt-list [2]. Lukas [1] http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-strict-sni [2] http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt-list