Andrew Devenish-Meares <[email protected]> writes: > We're currently starting to migrate our certificates to AusCERT, as we > get a good deal as a University. As AusCERT is an intermediate CA, so > we need to use a chain to get this to work. > [...] > This means that we need to install the intermediate certificate on > clients that connect to our LDAP using SSL or TLS. Admittedly this > isn't vastly different to what we need to do now in supplying our own CA.
You have to put the chain leading to the well-known root CA into your server certificate file: -----BEGIN CERTIFICATE----- [your server cert] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [the intermediate certificate (issuer of your server cert)] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [possible other intermediate certificate (issuer of your intermediate cert)] -----END CERTIFICATE----- You may include the well-known root CA at the end (as the final issuer), but that is not necessary, as that certificate must be present and trusted on the client systems anyway. -- Regards, Feri.
