Am 14.12.2010 15:32, schrieb Jan Just Keijser: > Hi all, > > I hate to reply to my own posting but I managed to get certificate chains > working. The trick is in setting up the stacked client certificate in the > right > order. Here's what I did: > > ca.crt --- server.crt > +-- sub-ca.crt --- client.crt > > the server is configured with --ca ca.crt and --cert server.crt > the client is configured with --ca ca.crt and --cert stacked.crt where > 'stacked.crt' is created using > cat client.crt sub-ca.crt > stacked.crt
Yes. Most software also accepts certificate bundles or chains where the documentation mentions "certificate". This is usually UNDOCUMENTED. This intermediate-CA and certificate chaining business (chain = daisy chain) is not very widely known and often done wrong. It is sort of mentioned somewhere deep in the TLS IETF standards, and you can get to it with some thinking about how the trust transition works, as you did -- but it does not usually propagate to the software documentation. I've been through all this before, and the result is: http://gitorious.org/fetchmail/fetchmail/blobs/master/README.SSL-SERVER It also applies with exchanged roles for client-to-server authentication with X.509 certificates. Since it's GPL-licensed, feel free to take parts of it for the OpenVPN documentation. -- Matthias Andree
