Multiple SSL certificates per virtualhost - Dual/Triple certificat setup with RSA,ECC,DSA

Since Apache 2.4.8 [1] it's possible to define multiple SSL certificate type (RSA, ECC, DSA) per virtualhost.

Example

1. <VirtualHost 194.126.200.29:443>

2. ServerName example.com

3. SSLEngine on

5. # example.com_rsa.bundle.crt contains certificate and intermediates

6. SSLCertificateFile /etc/ssl/cert/example.com_rsa.bundle.crt

7. SSLCertificateKeyFile /etc/ssl/key/example.com_rsa.key

9. SSLCertificateFile /etc/ssl/cert/example.com_ecc.bundle.crt

10. SSLCertificateKeyFile /etc/ssl/key/example.com_ecc.key

11. </VirtualHost>

The current SSL management within cPanel is limited to one certificate

per virtualhost. It would be nice, if the SSL manager core could support

multiple certs of different Public key algorithm types per virtualhost.

When using a dual/tripple cert setup, the certificate and the

intermediate certificates have to be combined in one file. Otherwise

Apache is not able to determine which intermediate belongs to an

certificate. This is an additional change of the SSL core system. The

combination of certificate and intermediates can be performed/released

first. This is the base for a multi certificate support.

What are the advantages of a dual/triple cert setup?

Support for a ECC certs (small key size, low latency, speed) with an fall-back to RSA if a client has no support for ECDSA [2].

The Wikimedia Ops people have a very interesting thread [3] about their dual cert setup.

Who is using this setup?

• 
  facebook.com
• wikipedia.org
• stackoverflow.com
• t.co
  

[1] https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile

[2] https://istlsfastyet.com/#ecc

[3] https://phabricator.wikimedia.org/T86654