i have a website running here and several domains are pointed to it. each of the domains that are not the main/primary domain name (a .com address) are then re-routed inside the nginx server config file, using a 301 return code, to send all their traffic to the main .com address.
i have one ssl certificate for the site, which is held with startssl.com - which is for the .com address.
the recent heartbleed glitch has led me to need to revoke the certificate.. and i realised then that startssl were going to force me to 'pay' some euros to revoke the certificate. i don't like this situation at all, since this is akin to paying a security guard only when a break-in has already occurred! (the reverse of how security should be funded - if it is funded at all).
anyway, i have been thinking about changing the domain name for the site, to a shorter version, which is available. so i am wondering if i would be wiser to claim the new domain name, setup another free certificate with startssl for the new domain name - and then route all the traffic to the new domain name via a 301 return code inside nginx.
would this bypass the need to revoke the certificates for the old domain names, since the traffic is now being routed to the new domain name?
or would the fact that people would be connecting to my server using the old domain name and old/unrevoked ssl certificate initially, result in the ssl session being created using that old certificate anyway? even though i route the traffic to the new domain via nginx?
even if this does work, i would still be left with the situation of using startssl (against my preference) - however, i would then look to move to CAcert asap, (once they audit their services and are accepted into the trust databases and major browsers).
anyone got any thoughts on this here?