> -----Original Message----- > From: Peter Sylvester [mailto:[email protected]] > Sent: Donnerstag, 13. August 2009 10:51 > To: [email protected] > Subject: Re: Certificate chain order not conform to TLS standard > > Plüm, Rüdiger, VF-Group wrote: > > > > > > > >> -----Original Message----- > >> From: Nick Gearls [mailto:[email protected]] > >> Sent: Donnerstag, 13. August 2009 08:51 > >> To: [email protected] > >> Subject: Re: Certificate chain order not conform to TLS standard > >> > >> I tried both order: > >> > >> SSLCertificateFile conf/ssl/server.pem > >> SSLCertificateChainFile conf/ssl/chain.pem > >> > >> where server.pem contains both the cert and the private key, > >> and chain.pem contains either CA/root or root/CA > >> > > > > Don't put the root cert in the chain file, only the > intermediate certs. > > > > > > Regards > > > > Rüdiger > > > leaving the a self signed root should not be a problem: > > This is a sequence (chain) of X.509v3 certificates. The sender's > certificate must come first in the list. Each following > certificate must directly certify the one preceding it. Because > certificate validation requires that root keys be distributed > independently, the self-signed certificate that > specifies the root > certificate authority may optionally be omitted from the chain, >
Right, but as far as I remember there are some picky SSL clients that puke if it is present. I am not saying that the behaviour of these clients is correct. Thus I said don't put it in :-) Regards Rüdiger
