On Tue, Jan 23, 2007 at 08:47:26PM -0600, Travis H. wrote:

> This is not really typical of the traffic on this list, hence the OT.

It is much more typical of openssl-users, which is probably a better
bet for this question.

> Recently I had an issue where Google checkout would not accept an
> SSL certificate because Apache didn't present the entire hierarchy,
> just the site certificate itself.  The CA was Thawte.  What Google
> said was that many browsers supply missing certs as needed, but
> apparently their software did not.

Generally it is enough for a TLS server or client to present its own
certificate and all *intermediate* CA certificates, sending the root CA
cert is optional, because if the verifying system trusts the root CA in
question, it has a local copy of that root CA cert. There be limitations
in some verifier implementations that make it necessary to supply the
root CA cert anyway.


> The fix would seem to be easy; just put the right CA root cert in the
> SSLCACertFile directive.

No you concatenate multiple certificates (server first, then issuer,
then issuer's issuer, ...) into a single file and set that as the Server
Cert file, not the CA file.

Please take any further questions to openssl-users@openssl.org (via


 /"\ ASCII RIBBON                  NOTICE: If received in error,
 \ / CAMPAIGN     Victor Duchovni  please destroy and notify
  X AGAINST       IT Security,     sender. Sender does not waive
 / \ HTML MAIL    Morgan Stanley   confidentiality or privilege,
                                   and use is prohibited.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to