Hi all, is there a way to set up more than 1 certificate to the FleetDM server? Due to the recent discovery of performance issues with RSA 4096key i want to switch a whole deployment to a new certificate with ECDSA in the most seamless way possible. I do not know if this is possible at all, the only way i could think of is to bundle the certificates in the same file and change

--tls_server_certs

flag in the osquery side and once all the agents are using the new file, then change the certificate in the FleetDM side. I wonder if there is a better way to handle a certificate change?

I think your approach including both cert chains in the bundle would work. Definitely test that osquery is happy with that. You could also just cut over immediately and let osquery handle buffering results during the downtime until the new cert bundle has propagated.

i see, thanks!