POC wrote:
I want to be able to load trusted root CA certs and valid (but not trusted) intermediate CA certs. NSS requires an unbroken CA chain up to a root in order to validate a cert, and some SSL apps don't always send a CA chain along with their end user cert. I therefore pre-load some of the known intermediate CAs I know will be issuing certs to such apps.-- POC
As Wan-Teh pointed out, those servers are misconfigured. However, I will note that at any rate, you don't need to give the intermediate certs valid CA trust. That trust bit is essentially a hack for the browser. It is used to mark certs as CA certs when they cannot otherwise be determined as such (e.g., missing the basic constraints extension, etc.) The chain will be constructed properly if the intermediates are given no trust, which is the correct thing to do.
-Ian
