On Tue, 13 Sep 2016 03:15:18 -0400
Ian Sutton <i...@ce.gl> wrote:
> On Tue, Sep 13, 2016 at 12:05:53AM -0700, Philip Guenther wrote:
> > See, here's where you're taking a wrong turn that I should have
> > caught earlier: your first post should answer this question:
> > What problem are you trying to solve?
> >
> > httpd may be able to do what you want *already*, but since you
> > haven't actually *told anyone* what you're trying to do, no one can
> > help you and say "oh yeah, that already works as documented in
> > <blahblahbah>"
>
> Since my certificate isn't provided by a root CA, any clients would
> have to verify both my cert AND the certificates of the intermediate
> authorities between me and the root CA. I can provide this certificate
> stapled along with my own cert to save the client the trouble of
> fetching it, which Qualys informs me is "good practice".
Did you try to /append/ the intermediate certificate(s) to the server
certificate? That worked for me on OpenBSD 6.0's httpd.
An explanation might be the documentation to the
SSL_CTX_use_certificate_chain_XXX functions used:
The SSL_CTX_use_certificate_chain*() functions load a certificate
chain into ctx. The certificates must be in PEM format and must
be sorted starting with the subject's certificate (actual client
or server certificate), followed by intermediate CA certificates
if applicable, and ending at the highest level (root) CA. There
is no corresponding function working on a single SSL object.
Best regards
Robert
