Hi,
I'm pointing CASCertificatePath at a file containing a root CA certificate
and an intermediate certificate. The intermediate certificate signed my CAS
server certificate. I'm not self-signing anything here.
Everything works fine. :-)
If I remove the intermediate certificate from the file, validation of the
server fails ("Certificate CN does not match"). This is true even though the
CAS server (fronted by apache) is supplying the intermediate certificate
with its own certificate (as confirmed by running openssl s_client -connect
my.cas.server:443 -showcerts < /dev/null). If I give openssl a -CAfile
pointing at my CASCertificatePath file, it verifies OK.
My question is can someone confirm that CASCertificatePath needs to contain
the whole chain down to the one that signed the actual server certificate,
or am I confused?
Thanks,
Kevin
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
