Hi, you just need to add the CA2 and CA3 to the configuration of your servers.
To correctly build the chain of certificates, the client application needs to know where to find them. If you do not use the PRQP, then you need to provide it via the SSL configuration of your web server. Indeed the standard says that the SSL/TLS server should push the full chain of certificates to the client (but the trust anchor - which I think it is optional). This will solve your problem and will let the client to trust all of your server certificates. Later, Max Yildirim Zaynal wrote:
The environment: 1level root ca 2level sub-ca signed by 1level root-ca 3level sub-ca signed by 2level sub-ca server certificate signed with 3level sub-ca I have installed the 1level root ca public certificate on my browser, and I am expecting that every server certificate i have signed with the 3level sub ca will automatically be trusted. But the browser still gives me warnings regarding the the server certificate signed by the 3level sub-ca.. When i import the public certificate of 2level and 3level sub-ca's into my browser then it does not produce any warnings.. For me it seems natural that I only need the root ca certificate imported for the browser to trust anything signed by 2level or 3level sub-ca's.. Am I right, should i export the 1level root certificate in some specific way for this to work?? ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
--
Best Regards,
Massimiliano Pala
--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
[EMAIL PROTECTED]
Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
PKI/Trust Laboratory Work Phone: +1 (603) 646-9179
--o------------------------------------------------------------------------
People who think they know everything are a great annoyance to those of us
who do.
-- Isaac Asimov
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
