On Sun, May 31, 2009 at 10:13:59AM +0100, David Woodhouse wrote:
> That makes a certain amount of sense; thanks. Forgive my ignorance -- is
> there a way to ensure that the full trust chain is included in the
> certificate itself, rather than having to provide the -CAfile option to
> openssl(1) separately? I na??vely tried just appending the contents of a
> working cafile to the certificate.pem file but that's not sufficient.
Yes, you contcatenate in a single file:
--- BEGIN...
client certificate bits
--- END...
--- BEGIN...
intermediate CA certificate that signed the above certificate
--- END...
...
--- BEGIN...
intermediate CA certificate that signed the above certificate
--- END...
--- BEGIN...
optional root CA certificate that signed the previous certificate
--- END...
> I found another strange behaviour that I didn't expect -- the _order_ of
> the certificates in the cafile seems to be important.
Yes, the TLS protocol requires the trust chain to be delivered bottom-up.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
