Hi, I've been reading the subject book, by Eric Rescorla, and ran across the following passage on page 110 (Chapter 4, under "CertificateRequest"):
"It is important to note that IF certificate chains are being used, then the CA name specified in the CertificateRequest message need not refer to the CA that signed the client's certificate, but may instead refer to one of the parent CAs." I'm wonder if anyone can tell me what he might've meant by the "IF" in the above sentence? Are certificate chains sometimes used and sometimes not used? Under what conditions? BTW, the reason that I've been looking at this is that I have a situation where I have a server certificate issued by a CA who is a subordinate CA to their root CA, and I'm trying to setup client authentication. I'm having a problem where clients (using IE6) have a number of client certificates, issued by the same subordinate CA that I got my server certificate from, but when they try to connect to my server, the popup window shows up blank. Awhile ago, I got some information from this mailing list indicating that as part of the SSL handshake, the server sends a list of trusted CAs, and the client then only displays client certificates issued by those CAs. In my case, I have both the root CA's certificate and the subordinate CA's certificate installed on the server, and also on the client, but still no client certificates appearing when the client tries to connect, and I can't figure out why. Any suggestions would be greatly appreciated!! Thanks, Jim ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
