Configure NGINX to support ECDSA and RSA certs/keys at the same time
Daniel Nashed – 18 February 2026 21:38:57
NGINX is still my favorite secure reverse proxy. There are easier to use solutions.
But NGINX is very flexible, high performance and can be configured in very detail.
Here is an example for a configuration we are running in DNUG lab.
This is only the TLS/SSL part of the configuration. The server has many different names dispatched via SNI to different local and remote hosts on the same IP.
Here is a TLS 1.2/1.3 only configuration with very selective ciphers and the 3 main ECDSA NIST-P curves.
NGINX supports dual certs. You can add a ECDSA and RSA key in parallel.
When your client only supports RSA ciphers / or only RSA signatures you get a session using a RSA key and RSA ciphers.
Here is an example request:
openssl s_client -connect linus.lab.dnug.eu:443 -servername linus.lab.dnug.eu -tls1_2 -cipher 'ECDHE-RSA-AES128-GCM-SHA256'
This might not be 1:1 what you want to use. Yo would probably want more ciphers. But this is something good to test with.
events {}
http {
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256';
ssl_ecdh_curve secp256r1:secp384r1:secp521r1;
ssl_prefer_server_ciphers on;
ssl_certificate /local/nginx/star-dnug-lab-ecdsa.pem;
ssl_certificate_key /local/nginx/star-dnug-lab-ecdsa.key;
ssl_certificate /local/nginx/star-dnug-lab-rsa.pem;
ssl_certificate_key /local/nginx/star-dnug-lab-rsa.key;
proxy_read_timeout 60;
proxy_ssl_name $server_name;
proxy_ssl_server_name on;
proxy_ssl_session_reuse on;
...
- Comments [0]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}