On 03/04/2016 03:57 PM, David Woodhouse wrote: > On Fri, 2016-03-04 at 15:37 +0300, ValdikSS wrote: > What you described *was* chained certificates, wasn't it? > > From the point of view of a client which only trusts the old CA, the > server is presenting a chain — its own cert, followed by the > "intermediate" new CA which is in turn signed by the trusted 'old CA'. > > And from the point of view of a client which trusts the new CA, the > server is presenting its own certificate, followed by something which > can (and should) be ignored. > > Major CAs have done this, haven't they, resulting in a few crypto > libraries having to be modified to back up the chain and look for > *alternative* reasons to trust a cert from further back. >
Yes, I'm trying to do exactly the same, and it doesn't work. It seems that OpenVPN don't want to load multiple certificates on the server side for me. I'll investigate it further.
signature.asc
Description: OpenPGP digital signature
