Search code examples
apachesslnginxbundleca

Multiple SSL Cert Bundles?

My company is wanting to utilize two different types of SSL certificates for our website: one that is using RSA, and one that is ECDSA. The reason is because external services that utilize our site are using code that is very old, so we need to have both for compatibility.

EDIT: We're using Apache 2.4, and both certificates are from the same authority. As such, the Root CAs below are the same, but the intermediates are different because of the RSA/ECDSA difference.

Our Apache config would be as follows:

### RSA cert
SSLCertificateFile          /etc/ssl/certs/website_com_rsa.crt
SSLCertificateKeyFile       /etc/ssl/private/website_com_rsa.key

### ECDSA cert for compatibility
SSLCertificateFile          /etc/ssl/certs/website_com_ecdsa.crt
SSLCertificateKeyFile       /etc/ssl/private/website_com_ecdsa.key

### RSA/ECDSA cert bundle
SSLCertificateChainFile /etc/ssl/certs/website_com.ca-bundle

The part I'm not sure about is the CA bundle. My questions are:

  1. Can I use two different SSLCertificateChainFile directives, one for each type (RSA and ECDSA)?
  2. If I can't, then how to combine CA bundles from two different certificate bundles into one file? Say I had two CA bundles files that have the order like so:

RSA Bundle

-----BEGIN CERTIFICATE-----
...
<rsa-intermediate-1>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<rsa-intermediate-2>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<root-ca>
...
-----END CERTIFICATE-----

ECDSA Bundle

-----BEGIN CERTIFICATE-----
...
<ecdsa-intermediate-1>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<ecdsa-intermediate-2>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<root-ca>
...
-----END CERTIFICATE-----

In what order should they be combined?

Solution

  • From the Apache 2.4 docs for SSLCertificateChainFile, it looks like you would provide the separate chains in the files configured with SSLCertificateFile, i.e. combining the server certificate with its corresponding certificate chain, in the same file.

    For example, your /etc/ssl/certs/website_com_rsa.crt might contain multiple certificate, from the server cert up through the root:

    -----BEGIN CERTIFICATE-----
...
<website-com-rsa>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<rsa-intermediate-1>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<rsa-intermediate-2>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<root-ca>
...
-----END CERTIFICATE-----

    And similarly for your /etc/ssl/certs/website_com_ecdsa.crt file. This would mean not using SSLCertificateChainFile.

    Hope this helps!