Multiple certificates for the same web service

Question

I need to be able to present the web client accessing my site two certificates signed by two different CAs, if the client doesn't trust one, it should pick up the other one. Is there a way to do that? I am running NGINX under an Ubuntu 16.04.3 vm.

yes, see this question https://serverfault.com/questions/412432/how-to-specify-multiple-root-certificates-for-nginx-client-certificate-verificat if you have nginx 1.11.0+ and opensl 1.0.2+ you can have multiple certificate chains http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate — ralz, Oct 07 '17 at 02:04

score 0 · Answer 1 · answered Oct 07 '17 at 02:21

0

if you have nginx 1.11.0+ and opensl 1.0.2+ you can have multiple certificate chains

From http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate

Since version 1.11.0, this directive can be specified multiple times to load certificates of different types, for example, RSA and ECDSA:

server {
    listen              443 ssl;
    server_name         example.com;

    ssl_certificate     example.com.rsa.crt;
    ssl_certificate_key example.com.rsa.key;

    ssl_certificate     example.com.ecdsa.crt;
    ssl_certificate_key example.com.ecdsa.key;

    ...
}

Only OpenSSL 1.0.2 or higher supports separate certificate chains for different certificates. With older versions, only one certificate chain can be used.

answered Oct 07 '17 at 02:21

ralz

2,751
2
17
22

Is there a preference for one over the other? Say a client actually has both CAs as trusted on their machines, which one is going to be accepted? – Facundo Oct 07 '17 at 02:45
if you use RSA and ECDSA certificates you can user ssl_ciphers to prioritize one over another as described here https://scotthelme.co.uk/hybrid-rsa-and-ecdsa-certificates-with-nginx/ – ralz Oct 07 '17 at 03:17
I tried doing this with two RSA certificate/keys but it threw an error stating that I already defined those – Facundo Oct 07 '17 at 05:10
The documentation implies that the certificates must be of different types. However, I don't think even this would fix the trust issue you are having, since it is the actually client making the decision whether to trust a certificate or not. – Tero Kilkanen Oct 07 '17 at 10:13
@TeroKilkanen One of the two certificates is guaranteed to be trusted by the client, not necessarily both of them. I'd suppose the client will choose to accept the trusted one and not just throw an https error. – Facundo Oct 07 '17 at 16:23
1

I think it is the server that decides the certificate to give to the client based on the certificate types the client supports. If that certificate is not OK for the client, then it displays an error. I am not 100% sure, but I don't think the server can send two certificates at the same time and let client choose which one to use. – Tero Kilkanen Oct 07 '17 at 22:54

Multiple certificates for the same web service

1 Answers1