This is a weird goal but I need to be able to route connections to the same server and domain name but under different certificate.

For some very specific devices that have the certificate of the server stored on them we need to let them connect to the web service (no login, simple REST get, no sensitive information here) but for that we need to use the "old" certificate (not expired). While still using the normal certificate for browser connections.

This means that I need to find a way to offer a specific certificate based on the TLS ClientHello but I cannot use the SNI. For example the supported_versions or the application_layer_protocol_negotiations would work but I don't know any tool that can do that (if that even exist).