1

Aim: To host 2 certificates in the Apache configuration for the SAME HOST (domain), either of them is OK for communication at the same time. If Public key 1 is used by client then if it matches with either of the 2 Private keys, it should work.

Changing PORT is not possible for me.

Reason: We stuck in the situation where we are having an Overlap situation. For 30 days we have to use older certificate as well as newer because not 200 clients will setup Public key at the same time, it needs to be 2 weeks window for all to get to new key.

I know about 1 Certificate for Multiple Host situation, BUT I need the way to support Multiple Certificates for Single Host at the same time.

I need Apache config for the same.

I have no idea as well as no guidance is available online about it.

Hardik Trivedi
  • 135
  • 8
  • sounds like a [x-y problem](https://meta.stackexchange.com/q/66377) to me: "public keys" are set up at the time of establishing a connection, and the key typically is singed by a CA. As long as _all clients trust_ the CA, you're good for server-side certs. If you use private keys on the client side, that's yet another direction, and their public keys are also signed by a (potentially different) CA that _the server must trust_. So, at a minimum, I expect this to be _not a key_ issue, but a _cert_ issue. But with quite a low amount of information. – Olaf Kock Jul 15 '21 at 09:29
  • @OlafKock this is Configuration issue. I don't know how to write Apache config that can host 2 different certificates for same domain. Both certificates are same CA and also valid. No self signed thing. I want the scenario to support 2 certificates at same time while some of my clients will use Pub-Key-1 to send the traffic and some will use Pub-Key-2. Now how to make apache understand this is my problem. – Hardik Trivedi Jul 15 '21 at 09:42
  • The _key pair_ is negotiated during connection establishment, based on the server's CA being trusted by the client. Each connection gets their own public/private key pair, that can be renegotiated at any time. Thus, I believe that you're hunting something different, or a nonexistent problem. There is no single (or dual) _public key_ that's relevant for this. Otherwise, please edit your question to contain the exact scenario that fails in your current setup. – Olaf Kock Jul 15 '21 at 10:12
  • Also: Being a configuration issue, as you state yourself, it would be off topic on Stackoverflow (see [help/on-topic] and the [tag:apache] tag description) Stackoverflow focusses on programming-related topics. There's a good chance that some programming navigated you into the corner that you're in, but as it is, there's no hint for that in your current question. – Olaf Kock Jul 15 '21 at 10:13
  • @OlafKock I don't get that. I think you didn't understand. I want a failsafe mechanism if Certtificate-1 is unable to decrypt data sent by Client-1 which will try for Certificate-2 so if 2nd one is a success we proceed with the business logic. The issue is we don't know which client will use which Public Key at which time. For 30 days we have this situation. And I want help with the Apache config as stated in the original question. – Hardik Trivedi Jul 15 '21 at 12:08
  • @OlafKock The key pair is negotiated during connection establishment, based on the server's CA being trusted by the client. This I know, but our clients are having Public Key as a file in their system and HTTP agent sends data based on that public key. And we will push new Key to the clients but we can't expect them all to apply new key at same time. So we need something which will allow traffic with either of them. – Hardik Trivedi Jul 15 '21 at 12:10
  • So you've effectively custom-coded your way around the TLS standard (which relies on trusted CAs and not immutable public keys) and painted yourself into a corner. As this stays a configuration question, I'm voting to close as off-topic (described above). Please edit it with a [mcve] to make it a programming question, or find the appropriate site on the stackexchange network please. serverfault _might_ be one. – Olaf Kock Jul 15 '21 at 12:26
  • With Apache 2.4.8 and up, the `SSLCertificateFile` directive can be used [two or more times](https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#page-header): _[SSLCertificateFile] points to a file with certificate data in PEM format.... The directive can be used multiple times (referencing different filenames) to support multiple algorithms for server authentication - typically RSA, DSA, and ECC. The number of supported algorithms depends on the OpenSSL version being used for mod_ssl_ I haven't tested this; you *might* have to issue the new cert with a different algorithm. – GLRoman Apr 11 '22 at 21:54

0 Answers0