2

Is it possible to use more than one certificate on the same sever at the same time, on the same connection? If I have a certificate from Alice Keys CA and another from Bob Security CA, is it possible to serve both, for the benefit of those browsers that trust only AliceCA and those which trust only BobCA?

This is not the same as "Certificate verified using two different paths" question, because I'm referring to two completely different certificates:

  • ACA root certificate self-signed -> My A certificate for mysite.org
  • BCA root certificate self-signed -> My B certificate for mysite.org
Community
  • 1
Envite
  • 261
  • 2
  • 6

2 Answers2

0

Yes, you can have more than one trusted certificate path on a single server.

Regarding your concern, please note that certification path does not refer to certifying the server certificate, but its public key, therefore certification path might consist of one self-signed certificate only.

Speaking of server providing two self-signed certificates is equivalent to speaking of server providing two certification paths.

Community
  • 1
techraf
  • 9,141
  • 11
  • 44
  • 62
0

Yes.

Note that providing more than one certificate is common amongst servers to enable TLS connections with different parameters. A server chooses and sends one of its certificates with respect to:

  • CipherSuite list sent by client in Client Hello Message. For example, if the server wants to negotiate on the cipher TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 then, it should send a certificate with RSA public key. On the other hand, if the server wants to negotiate on the cipher TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 then, it should send a certificate with ECDSA public key.
  • Signature Algorithms extension sent in Client Hello. If a client sends this extension, then the server needs to take this into account if it sends any certificate to client.

From TLS1.2 spec, Server Certificate

The certificate MUST be appropriate for the negotiated cipher suite's key exchange algorithm and any negotiated extensions.

Also answers of this question is relevant to your question: I see two different sets of certificates for Google websites when I am at work and when I am at home

Community
  • 1
Makif
  • 176
  • 1
  • 6