On Thu, Dec 8, 2011 at 6:10 PM, Erwann Abalea <[email protected]> wrote: > 2 certificates, one with an RSA key, the other with a DSA key. This is > supported both by the protocol (SSL3 at least), and by Apache. The 2 > certificates can of course be delivered by different CAs. I haven't tested > the browsers' behavior, it may be a good thing to do ;)
That certainly works, but the server selects only one certificate chain to serve based on the selected cipher suite. Since the client's advertised cipher suites are basically fixed, a given client will always get the same chain, so I don't believe that this achieves the CA redundancy that Daniel was looking for. Cheers AGL
