On 26/03/14 16:46, Daniel Kahn Gillmor wrote: <snip>
it doesn't even need to fetch the certificate itself, it could just make the big noisy error log say "you should fetch the cert from <AIAURL> and append it to <SSLCertificateChainFile>"
<AIAURL> is supposed to be DER-encoded rather than Base64-encoded, so the user would need to convert it using "openssl x509 -inform der -out" before appending it to <SSLCertificateChainFile>.
<AIAURL> is sometimes a PKCS#7 "certs only" bundle of multiple certs, all issued to the same Subject CA. The certs can be extracted using "openssl pkcs7 -inform der -print_certs", but which one of those certs (if any) should the user append to <SSLCertificateChainFile> ?
-- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online
