Sorry, the client will only trust a server cert that is signed by the manufacturers root cert. The server's cert must be issued by the manufacturer's CA.
-----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John R Pierce Sent: 24 February 2010 00:17 To: openssl-users@openssl.org Subject: Re: Sign an SSL certificate with mutile trusted roots? Shaun Crampton wrote: > Hi, > > I have a server that needs to serve content to two groups of clients > over HTTPS. One group of clients are standard web browsers, with the > normal group of trusted roots. The other group are embedded devices > that only support certificates signed by the manufacturer's trusted > root (which in not a standard browser trusted root). > > Is there any way to accomplish this while using only one domain? E.g. > is it possible for me to send a CSR to Thawte, get back the > certificate and then send it on to the embedded device manufacturer > for an additional signature? Will browsers support it? are these embedded device certificates the device's client certs? or do they require that the SERVER cert is issued from this manufacturer CA ? if its just the client certs, then you just need to import the manufacturer's public CA cert on your server to authenticate the client certs. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
