On 05/30/18 10:41, A. Schulze wrote:
In the third case an administrator has to provide files with
certificates. And these files are required (by best practice)
Do you have any pointers to support such a strong statement?
to include any chain-certificates excluding the self signed root.
Our upstream CA surely does not ship the signed certs that way. It
could, and that would support your statement - but it doesn't.
There is no reason to only provide a certificate via ssl_cert = </path/to/file
and an new/other place to provide intermediates.
Yes, there is. It saves manipulating the signed server cert, and mirrors
the fact that the intermediate CA certs have a longer lifetime than the
server cert.
Cheerio,
hauke
--
The ASCII Ribbon Campaign Hauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
Respect for open standards Ruf +49-6151-16-21344
