Hi Shaun, unfortunately that's not possible. To serve both groups of clients over https, you need to check the truststores of both clients for a common trust anchor and get a certificate for your server from exactly this ca. And make sure to get a certificate from exactly that ca, as the big public ca players have multiple cas in operation and the browsers come with pre-installed ca-certificates that are either non-operational anymore or not-yet-in-operation. In case the truststores don't have a common share, you need to set up two different hostnames. Perhaps you can do some redirection based on some identifying header information, but that would require your entry point to be a http-url.
HTH and sorry for top-posting, Patrick Eisenacher -----Original Message----- From: Shaun Crampton I have a server that needs to serve content to two groups of clients over HTTPS. One group of clients are standard web browsers, with the normal group of trusted roots. The other group are embedded devices that only support certificates signed by the manufacturer's trusted root (which in not a standard browser trusted root). Is there any way to accomplish this while using only one domain? E.g. is it possible for me to send a CSR to Thawte, get back the certificate and then send it on to the embedded device manufacturer for an additional signature? Will browsers support it? Besuchen Sie die Bundesdruckerei auf der CeBIT 2010 vom 2.-6.3.2010, Halle 9, Stand D80 Visit Bundesdruckerei at CeBIT, exhibition centre, hall 9 / stand D80 weitere Informationen unter: http://www.bundesdruckerei.de/de/unternehmen/untern_cebit2010/index.html find more information here http://www.bundesdruckerei.de/en/company/comp_cebit2010/index.html ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
