Thanks for the information. It definitely doesn't work for any certificate, probably only for chained certificates. That's a good news that there's no protocol limitation for this. I'll check the code to see what's going on.
On 03/04/2016 03:26 PM, Jan Just Keijser wrote: > Hi, > > On 03/03/16 22:04, ValdikSS wrote: > > it's possible to send a stacked CA certificate (i.e. server certificate and > intermediate CA cert) from server to the client. We use this in production, > and it > is done by simply stacking (cat'ing) the server cert and intermediary CA cert > file into a single pem file. The intermediary CA is verified using the > client-side ca.crt file and the server cert is signed by the intermediary CA. > I'm not sure what would happen if you stick two CA certs into the file, > however. > If this does not work: when looking thru the openssl s_server code I see a > -dcert option which does something similar - looks like it would be trivial > to add > to OpenVPN. > > JM2CW, > > JJK >
signature.asc
Description: OpenPGP digital signature