From 0fab5ad14f25f2458c0847880cca4d8dc175db2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
Date: Mon, 15 Jun 2026 08:18:02 +0200
Subject: [PATCH v2 6/8] Document ssl_alt_cert_file limitations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Note that the alternate certificate must use a different key type than
the primary, and that this setting applies only to the default SSL
configuration from postgresql.conf, not to per-host entries in
pg_hosts.conf.

Author: Renaud Métrich <rmetrich@redhat.com>
---
 doc/src/sgml/config.sgml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 4d712ed852b..a684523aeb4 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1345,6 +1345,14 @@ include_dir 'conf.d'
         The default is empty, meaning no alternate certificate is loaded.
         Both <varname>ssl_alt_cert_file</varname> and
         <xref linkend="guc-ssl-alt-key-file"/> must be set together.
+        The alternate certificate must use a different key type than the
+        primary certificate; specifying the same type is an error.
+       </para>
+       <para>
+        This setting applies only to the default SSL configuration from
+        <filename>postgresql.conf</filename>.  Per-host certificate
+        configuration via <filename>pg_hosts.conf</filename> is not affected
+        by this parameter.
        </para>
       </listitem>
      </varlistentry>
-- 
2.52.0