I've been running some tests with the s_server app (OpenSSL 0.9.5). It's set to demand client authentication with the -Verify option, and I'm pointing to a directory of CA's using the -CApath parameter. Now, when a client (s_client, Netscape or IE) connects and offers a certificate that is signed by a CA that the server does not have a copy of, the connection is dropped with error 'X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY' (defined as 20), and has a text message of "unable to get local issuer certificate". I completely understand *why* s_server is reporting this error, and I know that I could take a copy of the client CA's certificate, and put it into the directory specified by -CApath, but is there a way to get the client process to include the CA certificate, i.e. send the complete certificate chain, not just client's certificate only (and therefore changing the error to "self signed certificate in chain".) ??? Hope that's clearer than mud. I did trawl the mailing list, but couldn't find an answer for this. TIA - Dave. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]