It is normal, expected and actually recommended that big sites use several certificates. Google is huge and has many servers around the world; DNS and routing are done in such a way that, on average, your requests to www.google.com
go to the nearest server, where "near" is meant in the network's topology, which can differ from geographical considerations.
Each server with the www.google.com
name must be able to use a certificate bearing its name (or something matching its name, like *.google.com
), and the server must have access to the corresponding private key. However, if two geographically distant servers both use the same private key, then that private key must necessarily have travelled between them or from a common source at some point. The more a private key is duplicated and travels, the less "private" it can be.
It is thus better, security-wise, that each server generates its own private/public key pair, and obtains a server-specific certificate. From the point of view of a client, you may observe several of these certificates, in particular if you "move" (in the network world, your work office and your home can be quite far from each other).
Other situations which necessarily imply certificate changes are renewals. Certificates have a limited lifetime, with an "end of validity" date; they typically live for one to three years. Renewal may or may not reuse the same public key, but in any case the new certificate will be distinct from the old one, if only in the expiry date. X.509 is designed to support such updates smoothly. It is actually designed to support renewals every 5 minutes, which is complete overkill; Convergence tries to live in that "overkill margin" (i.e. it detects fishy certificates by virtue of them being seemingly renewed or changed way too often).