The only certificates that must be sent are the server identification and the certs up to (but not including) the trust anchor. (Since the client already has the trust anchor, it will verify against its local copy of the root CA, not the copy of the root CA that came from the connection.)
Sending the extra certificate doesn't hurt, though. -Kyle H On 2/27/06, Brian Candler <[EMAIL PROTECTED]> wrote: > On Mon, Feb 27, 2006 at 07:36:16PM +0000, Brian Candler wrote: > > Ah. I had just used -cert ../server.example.com-cert.pem (where this file > > contains all the certificates). So now I've added -CAfile as well, pointing > > to the same file: > > > > #!/bin/sh > > cd content > > openssl s_server -cert ../server.example.com-cert.pem \ > > -CAfile ../server.example.com-cert.pem \ > > -key ../server.example.com-key.pem \ > > -WWW > > > > And it works. I've removed the sub-CA certificate and its symlink from > > /etc/ssl/certs, but the client can still verify the chain: > > As a follow-up for the benefit of the list archive: to get this to work in > Apache+mod_ssl I just had to uncomment > > SSLCertificateChainFile /usr/local/etc/apache/ssl.crt/ca.crt > > from httpd.conf, and point it at a file containing the sub-CA's certificate > (signed by the root CA) and the root CA's own self-signed certificate. > > Regards, > > Brian. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
