On Sun, May 31, 2009 at 10:13:59AM +0100, David Woodhouse wrote: > That makes a certain amount of sense; thanks. Forgive my ignorance -- is > there a way to ensure that the full trust chain is included in the > certificate itself, rather than having to provide the -CAfile option to > openssl(1) separately? I na??vely tried just appending the contents of a > working cafile to the certificate.pem file but that's not sufficient.
Yes, you contcatenate in a single file: --- BEGIN... client certificate bits --- END... --- BEGIN... intermediate CA certificate that signed the above certificate --- END... ... --- BEGIN... intermediate CA certificate that signed the above certificate --- END... --- BEGIN... optional root CA certificate that signed the previous certificate --- END... > I found another strange behaviour that I didn't expect -- the _order_ of > the certificates in the cafile seems to be important. Yes, the TLS protocol requires the trust chain to be delivered bottom-up. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org