On Tue, Jan 23, 2007 at 08:47:26PM -0600, Travis H. wrote: > This is not really typical of the traffic on this list, hence the OT.
It is much more typical of openssl-users, which is probably a better bet for this question. > Recently I had an issue where Google checkout would not accept an > SSL certificate because Apache didn't present the entire hierarchy, > just the site certificate itself. The CA was Thawte. What Google > said was that many browsers supply missing certs as needed, but > apparently their software did not. Generally it is enough for a TLS server or client to present its own certificate and all *intermediate* CA certificates, sending the root CA cert is optional, because if the verifying system trusts the root CA in question, it has a local copy of that root CA cert. There be limitations in some verifier implementations that make it necessary to supply the root CA cert anyway. http://www.postfix.org/TLS_README.html#server_cert_key > The fix would seem to be easy; just put the right CA root cert in the > SSLCACertFile directive. No you concatenate multiple certificates (server first, then issuer, then issuer's issuer, ...) into a single file and set that as the Server Cert file, not the CA file. Please take any further questions to openssl-users@openssl.org (via [EMAIL PROTECTED]). -- /"\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAIL Morgan Stanley confidentiality or privilege, and use is prohibited. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]