Multiple SSL certificates for a single domain on different servers

Solution 1:

With bog-standard SSL, this is fine. HA provides the old certificate, validly-signed, and clients using the old A record from the DNS and connecting to that server will continue to accept it. HB will provide the new certificate, and clients getting the new A record will connect to it and accept the new certificate. They can peacefully co-exist.

That said, there are some extensions to SSL that may make this more tricky. Browser plugins like Certificate Patrol, which cache SSL certificates, will flag up the change, and if the client is unlucky enough to get the old record after having validated the new one (perhaps a user will move a laptop from work (old DNS) to a cybercafe (new DNS), then back to work), the plugin will grumble.

I have a recollection of another distributed system that allowed multiple users to avoid MITM certification attacks by pooling the many client views of the certificate seen at any given server. Whilst I can't find a reference to it right now, this would most definitely cause problems with your scenario.

But these aren't hugely common yet, so you'll probably be OK.

Solution 2:

It's entirely possible to have two separate certificates for the same hostname at the same time. For instance, when you need to renew a certificate, you would want to get the new certificate before the old one expires, and you don't want the old certificate to become invalid before you've installed the new one.

Exactly how you do this will depend on the CA that you bought the certificate from. I've worked with Verisign; they had the option to order an updated ("renewed") certificate within 90 days of expiry time. If your CA does that, I'd advise you to simply renew your certificate provided you are within the timeframe allowed. This has the advantage that the old certificate will stop working when it expires.

Otherwise, you would need to order a new certificate which would likely replace the old one and thus flag the old one as invalid (but since most browsers don't check that, it would still work for most users). But your CA should be able to advise you on how to proceed.