Configuring Nginx to Serve Fallback SSL for One Domain

I have a Debian server running Nginx under a domain, and I have 2 different SSL certificates, from different authorities. Is it possible to configure Nginx in a way to serve one SSL certificate, but then to serve another one as a fallback if the first one is expired, or the client doesn’t accept it?

I’ve looked into SNI, but it appears it’s only for servers that have multiple domains, with separate certificates.

Answer:

The server has no knowledge if the client will accept a certificate or not because validation is fully done at the client and depends a lot on the clients trust anchors. The server also has no knowledge if the client just reconnected because it failed to accept the previously sent certificate. This means the server can not pick another certificate just because the client did not accept the last one.
Apart from that clients will not just reconnect if they failed to verify a certificate because they will not expect the server to present a different certificate on reconnect. They expect the server to do it properly the first time.

Leave a Reply

Your email address will not be published. Required fields are marked *