Kevin Castner wrote: > > > 1) Is my understanding correct in that I can package the entire trust > chain as part of the server cert. If so, how? >
Short answer, not really. Long answer: there are ways which involve including URLs in the certificate showing how to donwload the intermediate cert but this isn't really worth it because few, if any, browsers versions support it. > 2) If not, then how does the browser get the intermediate CA certificate > without having to explicitly load it into the browser. > The problem is caused by the browser being unable to build a trusted chain because it can't see the intermediate CA presumably because the server isn't sending it. You need to load the intermediate CA on the web *servers* trusted CA store and optionally the root as well alternatively there may be a directive to allow you to add additional certificates. You can use the openssl utility s_client with the -showcerts option to see which certificates the server is sending. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
