On Tue, Sep 13, 2016 at 12:05:53AM -0700, Philip Guenther wrote: > See, here's where you're taking a wrong turn that I should have caught > earlier: your first post should answer this question: > What problem are you trying to solve? > > httpd may be able to do what you want *already*, but since you haven't > actually *told anyone* what you're trying to do, no one can help you > and say "oh yeah, that already works as documented in <blahblahbah>"
Since my certificate isn't provided by a root CA, any clients would have to verify both my cert AND the certificates of the intermediate authorities between me and the root CA. I can provide this certificate stapled along with my own cert to save the client the trouble of fetching it, which Qualys informs me is "good practice". > Or maybe: "oh yeah, that can be done, but isn't documented because it > seemed clunky. Use this configuration, and I'm fixing the docs". > > Or maybe: "oh yeah, that would be useful. I was thinking it should be > done like <this> but if you implement it send me the diff." If this is the case, I would like to know so I could try and implement it myself and atone for my apparant sins. > I suspect it's the middle case..but I'm not reyk@ and don't normally > work on httpd... > > > ...and I don't know why you took this thread off-list. This seems > like a discussion that would be useful to others. Forgot to cc the list ;)