With SHA1 certs being deprecated by major browsers it seems wise to get a SHA2 signed cert. But in doing so you will be locking out IE6 users. While for most people this won't be an issue in some cases it may lock out significant users.
Looking at the SSL handshake the client sends details of what it supports.
So in theory a server could send a certificate that the client will support. Newer browsers would get a SHA2 signed one and older ones SHA1.
However it doesn't look like there are any ways do do this with nginx configuration. While you can set versions of cyphers and protocols you can't have any logic to determine how to behave with different client configurations.
Ia there a way to server a different certificate depending on what the client supports?
This isn't currently possible with nginx (though it is with apache). However, it seems that companies like CloudFlare have already implemented their own internal modifications of nginx to be able to do so and will hopefully be open sourcing their work (https://news.ycombinator.com/item?id=8276770), so I'm hoping/expecting nginx will have this ability in a year from now when the need becomes more pressing as we approach 2016.
In the meantime, i just bought a 1-yr cert expiring in late 2015 so i don't get hit by Chrome's warnings until a hopefully a feature like this comes out.