Can I use both RSA and ECC certificates in apache?
This is possible depending on both the Apache version and the OpenSSL version.
Running ECC & RSA certificates in parallel on Apache using different intermediate certificates requires Apache 2.4.8+ and OpenSSL 1.0.2+.
The sslcertificatefile
entry added support for intermediates as of Apache 2.4.8. OpenSSL adds the ability to load intermediates on a per-certificate basis as of version 1.0.2.
The files may also include intermediate CA certificates, sorted from leaf to root. This is supported with version 2.4.8 and later, and obsoletes SSLCertificateChainFile. When running with OpenSSL 1.0.2 or later, this allows to configure the intermediate CA chain on a per-certificate basis.
Source: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile
Although earlier versions of Apache support multiple sslcertificatefile
entries, it won't load intermediates from those entries and the SSLCertificateChainFile
can only be used once. Therefore, in earlier versions you can still run ECC/RSA/DSA certs in parallel, but they must all use the same intermediate.
But be careful: Providing the certificate chain works only if you are using a single RSA or DSA based server certificate. If you are using a coupled RSA+DSA certificate pair, this will work only if actually both certificates use the same certificate chain. Else the browsers will be confused in this situation.
Source: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#SSLCertificateChainFile