I didn't even think of this possibility, but I've just seen a Java Control Panel (JDK 1.8.0_xx) with two certificates sharing the same alias. One is the renewed version of the other - that is, say one expires on Jul 1, 2015, the other expires on Jul 1, 2106.
I've been asked whether this is a normal situation. I don't know or, better, I'm not sure. The point is: what will happen on Jul 2, 2015? How does the Java Plugin check for a signature? If it's just searching for the first valid certificate (that is, it matches the signature and is valid), everything should be fine: today it's picking either certificate, on Jul 2 it will pick the one still valid.
A problem would arise if the logic is: if it finds an invalid certificate, it consider invalid all the certificates with the same alias. It sounds a bit cumbersome to me, so I don't think it's the case. But I'd like to find some official document about this.
My normal policy for managing certificate is that when there's one to renew, the old one is removed from the plugin repository. But the system I've been asked about seems to have a different policy: the renewed certificate is just added.
Thanks.
