On Sun, Jul 02, 2006, snacktime wrote: > Oops, you will also need this cert in the ca chain. The client cert > that does verify was issued by this cert, which was issued by the > root. The one I gave you that does not verify was issued by the root > ca directly. > >
That's your problem then. OpenSSL needs to find the intermediate CA. This can be either sent by the other party or explicitly on the command line. So in the example with "openssl verify" you can include: -untrusted intca.pem and it should work. Similarly if you have a webserver the SSL client (e.g firefox) needs to be able to see the intermediate CA. You do this by either including the CA in you list of trusted CAs or specify it manually as an "additional certificate". Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
