On Mon, Feb 27, 2006 at 07:36:16PM +0000, Brian Candler wrote: > Ah. I had just used -cert ../server.example.com-cert.pem (where this file > contains all the certificates). So now I've added -CAfile as well, pointing > to the same file: > > #!/bin/sh > cd content > openssl s_server -cert ../server.example.com-cert.pem \ > -CAfile ../server.example.com-cert.pem \ > -key ../server.example.com-key.pem \ > -WWW > > And it works. I've removed the sub-CA certificate and its symlink from > /etc/ssl/certs, but the client can still verify the chain:
As a follow-up for the benefit of the list archive: to get this to work in Apache+mod_ssl I just had to uncomment SSLCertificateChainFile /usr/local/etc/apache/ssl.crt/ca.crt from httpd.conf, and point it at a file containing the sub-CA's certificate (signed by the root CA) and the root CA's own self-signed certificate. Regards, Brian. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
