Hello, I would to know if it is possible to do the following with mod_ssl, and if so, how. A client wants to have a certificate chain that goes something like root cert -> intermediate cert -> client cert Ideally, I would like to have the client cert validated by the intermediate cert, without client certs signed directly by the root cert being validated as well. Is there a way to define how far up the validation goes (stop at the intermediate cert, and not have the root cert present in the chain)? If not (and this is our understanding), is it possible to define separate certificate files/paths for validating client certs and for validating non-self-signed ca certs? It seems to me that these two are inseparable after trying every way I could think of to do this. It appears that this functionality already exists for intermediate server certs (SSLCertificateChainFile?) but not for intermediate certs used for client cert authentication. If this is only possible by modifying mod_ssl or openssl itself, would it be in violation of any protocol standards? And would the change be something the maintainers would be willing to fold into the open source implementation (if the code passes the appropriate standards, etc.)? Just to clarify, the undesired behavior is that since the root cert has to be present for the validation to succeed for the intermediate cert, client certs signed directly by the root cert are granted access as well. Thanks, - Mike ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
