On Thu, Mar 12, 2009, Rene Hollan wrote: > Yup. That fixed it.. At least as far as openssl verify -CAfile > cacert.pem -untrusted intcert2.pem yahoo-x.pem goes. > > Oddly, firefox still rejects the end cert, even though both cacert.pem > and intcert2.pem are in it's trust store. Is it possible that browsers > actually ignore intermediate CA certs in their trust store and expect > servers to provide them? That's the next thing for me to try (if only I > can remember how to do that with openssl... :-)). >
Well if you had to add intermediate CAs to browser trust stores they would be of limimted use. The whole idea is that you only need to add the root CA and the browser will automatically trust intermediate CAs it hasn't seen before. The SSL/TLS standards also require sending of the certificate chain (but the root can be excluded). Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
