Is it possible to deploy 2 TLS certificates on a server at the same time?

7_R3X

10/22/22, 6:09 PM

I created CSR and asked my organization's internal CA team to generate a certificate which I then deployed on an internal server. However, the clients connecting to this server did not trust the certificate so I needed to add the key signature to the clients' Java key store using the keytool utility.

Now, this certificate is about to expire in a couple months time. Is it possible to have two certificates installed to have a sort of transition period while the new keys are added to all the clients' key store?

Just to give a context, there are hundreds of clients, each controlled by a different team. So, replacing the keys on all of them in an instant is really difficult.

1 + 2

ssl

Steffen Ullrich

10/22/22, 6:15 PM

How should the server decide which certificate to provide to the client? If they would access a different IP address or a different server name it would be possible, but it is impossible to send multiple server certificates at once and let the client pick one. Also, the setup looks strange - why don't the clients simply trust a CA instead of trusting a specific certificate only?

Lorinczy Zsigmond

10/22/22, 7:25 PM

It would be more precise to call it _truststore_ (that's the term Java uses). You can put multiple certificates into the truststore, but the standard method is putting CA-certificates into the truststore, not EE-certificates (EE=End Entity). PS: the default Java trust-store is `$JRE_HOME/lib/security/cacerts`, you can check its content with `keytool -list`: it contains various RootCA certificates.

Score:1

Server

vidarlo

10/22/22, 7:18 PM

Now, this certificate is about to expire in a couple months time. Is it possible to have two certificates installed to have a sort of transition period while the new keys are added to all the clients' key store?

This is a X-Y problem.

The proper solution is to add the CA certificate to the relevant keystores. Spend the months leading up to expiry adding the CA certificate, and when time comes to renew your certificate, simply replace it with a certificate issued by the same CA.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is it possible to deploy 2 TLS certificates on a server at the same time?

TH: เป็นไปได้ไหมที่จะใช้ใบรับรอง TLS 2 ใบบนเซิร์ฟเวอร์พร้อมกัน

RO: Este posibil să implementați 2 certificate TLS pe un server în același timp?

RU: Можно ли одновременно развернуть 2 сертификата TLS на сервере?

VI: Có thể triển khai đồng thời 2 chứng chỉ TLS trên máy chủ không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.