For the validation process, I would agree that putting the whole cert chain in the server side's keyring is a better approach so that the client side only needs to have the root certificate in its keyring. It is simpler and it can avoid the scenario if the client has an expired intermediate cert.
But whether the certificate is connected with USAGE CERTAUTH, SITE or PERSONAL will not affect the validation process. The server's handshake application like System SSL goes through all the certificates from the server side's keyring to find a chain regardless of the certificates' USAGE. The client validation application locates the issuer from the client's keyring first, again not looking at the certificates' USAGE, before using those supplied from incoming chain from the server. Retrieving certificate and key is performed by calling the RACF callable service R_DATALIB. The USAGE is more relevant for the server to set up the keyring as access to private key is based on the USAGE the certificate is connected. The RACF Callable Service book describes the condition in the R_DATALIB section. Wai Choi - RACF/PKI Design and Development ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN