Due to a mix of legacy devices and newer devices I want to serve both RSA and EC certificates for a service that is exposed via HTTPS using the same DNS name and on the same port.
I have followed the official guide for secure gateways of istio mentioned here: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-mutual-tls-ingress-gateway. Unfortunately it doesn't mention whether it's possible at all to configure multiple certificates for a single secure gateway.
According to https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl envoy supports certificate selection based on the advertised cipher suites of the client connecting to the service.
Can istio generate a envoy configuration with a DownstreamTlsContext using two certificates? If yes how would I go about configuring this in istio / the involved k8s Secrets?
I'm aware that I can passthrough the TLS traffic to a pod (running e.g. nginx) and do the TLS offloading within that pod, but as of now I'd like to keep my cluster as homogenous as possible.