Rob Stradling <rob.stradl...@comodo.com> wrote: > The README [1] says: > "If multiple certificate chains are found, the shortest one is used." > > That's a good strategy for a browser to employ when deciding which chain to > show in its certificate viewer, but it's unlikely to be the best strategy > when configuring a server. > There's often a cross-certificate issued by an older root to a newer root. > For compatibility with browsers that don't trust the newer root, the server > should send that cross-certificate too (even though it isn't part of the > shortest chain). > > Using the longest available chain isn't always the correct strategy either > though.
See also CloudFlare's "cfssl bundle" tool, which has an option to build the most client-compatible cert chain bundle: https://github.com/cloudflare/cfssl. Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto