:: Did you use IE? That seems to work fine (I guess it comes with the
:: Intermediate CA), Netscape and Opera both barf on it tho'.
Yes, IE 5.5; Konqueror 2.1.1 works too.
:: Wait until you try it in NS first :)
Nutscrape 4.76 says it "does not recognize the authority who [sic] signed
its [sic] certificate".
It gets the right info (ie. who it belongs to and who issued it).
Opera 5 says that the certificate chain is incomplete, and the signer is not
registered. So that kind of sucks... but you can accept the cert.
Are you using the right command though?
"This directive sets the optional all-in-one file where you can assemble the
certificates of Certification Authorities (CA) which form the certificate
chain of the server certificate. This starts with the issuing CA certificate
of of the server certificate and can range up to the root CA certificate.
Such a file is simply the concatenation of the various PEM-encoded CA
Certificate files, usually in certificate chain order.
This should be used alternatively and/or additionally to
SSLCACertificatePath for explicitly constructing the server certificate
chain which is sent to the browser in addition to the server certificate. It
is especially useful to avoid conflicts with CA certificates when using
client authentication. Because although placing a CA certificate of the
server certificate chain into SSLCACertificatePath has the same effect for
the certificate chain construction, it has the side-effect that client
certificates issued by this same CA certificate are also accepted on client
authentication. That's usually not one expect. "
I presume you're not trying to explicitly construct the server certificate
chain that is being sent to the browser, together with the actual server
cert?
-- Juha
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
