Multiple TLS Certificates: Improving Security

TL;DR

Yes, a website can be configured with multiple valid TLS certificates linked to different root Certificate Authorities (CAs). This isn’t common but provides redundancy and can mitigate risk if one CA is compromised. However, it adds complexity to certificate management.

How Multiple Certificates Work

Normally, a website uses one TLS certificate issued by a single CA. The browser checks this certificate against its list of trusted root CAs. If the chain of trust is valid (certificate -> intermediate certificates -> root CA), the connection is secure.

Why Use Multiple Certificates?

1. CA Compromise: If a CA gets hacked or issues fraudulent certificates, having alternatives allows your site to remain accessible.
2. Browser Compatibility: Historically (less common now), some older browsers had issues with specific CAs.
3. Geographic Redundancy: Different CAs might have better coverage in different regions.
4. Load Balancing/Multiple Servers: Each server could use a different certificate, simplifying management if you’re not using a central TLS termination point.

Setting Up Multiple Certificates – Step-by-Step

This process varies depending on your web server (Apache, Nginx, IIS) and how you manage certificates (Let’s Encrypt, commercial CA).

1. Obtain Certificates

• Purchase or generate TLS certificates from different CAs. Ensure each certificate covers the same domain(s).

2. Configure Your Web Server

The key is to tell your web server which certificate to use based on specific conditions (e.g., client IP address, hostname).

Apache (.htaccess or Virtual Host configuration)

<VirtualHost *:443>
  ServerName example.com
  DocumentRoot /var/www/example.com

  SSLEngine on
  SSLCertificateFile /path/to/cert1.pem
  SSLCACertificateFile /path/to/ca1.pem
  # ... other configuration...
</VirtualHost>

You would need separate VirtualHost blocks (or .htaccess rules) for each certificate, potentially using <IfModule mod_ssl> to ensure SSL is enabled.

Nginx (server block configuration)

server {
  listen 443 ssl;
  server_name example.com;

  ssl_certificate /path/to/cert1.pem;
  ssl_certificate_key /path/to/key1.pem;
  # ... other configuration...
}

Similar to Apache, you’d need multiple server blocks for each certificate.

3. Certificate Chain Management

• Complete Chains: Ensure each certificate includes the full chain of intermediate certificates leading back to the root CA. Most CAs provide these as a bundle file.
• Order Matters: The order is important! The server certificate should come first, followed by any intermediate certificates, and finally the root certificate (though including the root cert isn’t always necessary).

4. Testing

• Use an online SSL checker tool (e.g., SSL Shopper) to verify that both certificates are correctly installed and trusted by different browsers.
• Check the certificate chain using a command like openssl s_client -connect example.com:443. This will show you the entire chain presented by the server.

5. Automation (Recommended)

Manually managing multiple certificates is error-prone. Consider using tools like:

• Certbot: Can automate certificate renewal for Let’s Encrypt and potentially other CAs.
• ACME clients: Other ACME (Automated Certificate Management Environment) clients can handle multiple certificates from different providers.

Important Considerations

• Complexity: Managing multiple certificates increases operational overhead.
• Performance: While minimal, there might be a slight performance impact due to the server needing to select the appropriate certificate.
• OCSP Stapling/CRL Distribution: Ensure OCSP stapling or CRL distribution is configured correctly for each CA to improve revocation checking performance and security.