On Mon, Feb 27, 2006, Brian Candler wrote: > On Mon, Feb 27, 2006 at 01:41:33PM +0100, Dr. Stephen Henson wrote: > > Since you didn't include the root CA it isn't possible to say why it isn't > > excluded. > > > > I notice the small serial numbers in the certificates and some invalid > > extensions in there. I'd suggest using the CA.pl script (if you use OpenSSL > > 0.9.8 get it from a recent snapshot: the included one is buggy) instead. > > The root certificate is attached below. I also tried appending this to my > server.example.com-cert.pem (so there were three certificates in all), but > that didn't make a difference. >
Have you tried placing the sub CA in /etc/ssl/certs and running c_rehash on that directory? > Is it correct of me simply to concatenate the server certificate together > with the sub-CA certificate and the root certificate? Or should TinyCA have > created a certificate which incorporates the whole chain itself? Or does the > application use some other mechanism to assemble the chain from the > constituent certificates? I'm afraid I'm not sufficiently PKCS#7-savvy to > know what a real certificate at the bottom of a chain should look like. > It needs to have the whole chain visible somehow. Placing the subCA and root CA in the trusted directory is one way. Concatenating them into a single file and pointing to that using -CAfile is another. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
