nginx multiple certificate types

Matt Tsōnto

1/27/24, 10:30 PM

I have a single server block that I want to offer two kinds of certificate for: one ECC and one RSA. The ECC cert is because for certain of the clients ECDSA is the only viable option in TLS 1.2 (and they don't support 1.3). The RSA cert is for widest compatibility across systems. It'd be nice to also offer EdDSA for speed, but that's not a requirement.

Per Can a server offer more than one TLS certificate? it's possible -- but I don't know whether it's possible to do it with nginx.

I do not mean that I want to offer a different certificate per DNS name or per port or anything like that -- I want the difference to be based on the client's capabilities.

I'm using nginx as a TLS-terminating reverse proxy. I have flexibility to upgrade my nginx version and install plugins. Although I need to support certain old systems, they all support TLS 1.2+ and they all support at least one still-strong cipher suite on it.

1 + 0

ssl

nginx

Score:2

Server

Tero Kilkanen

1/27/24, 11:57 PM

You can specify multiple certificate types by just entering multiple directives like this:

ssl_certificate /path/to/rsa_cert;
ssl_certificate_key /path/to/rsa_key;
ssl_certificate /path/to/ecc_cert;
ssl_certificate_key /path/to/ecc_key;

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: nginx multiple certificate types

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.