* Tom Lane (t...@sss.pgh.pa.us) wrote: > What I meant to question is *which* file the intermediate CA certs > go into. It doesn't seem tremendously sensible to me to put them into > the server.crt file, since that's intended to define exactly one cert, > namely the one identifying the server. On the other hand, putting them > into the root.crt file implies that the intermediate certs are as good > as the real root CA for trust purposes, which might not quite be the > right thing either.
root CA's are self-signed. intermediate CAs are not. They typically
both go into directories/files like 'cacerts' (eg: Strongswan expects
them in the cacerts directory). Most systems (uh, all?) will validate
all the way up to a self-signed cert- intermediate CAs are only used as
a mechanism to get to the root CA. I don't believe there's any
confusion about intermediate CAs being accepted as root CAs just because
they're in the same file or directory.
All that being said- I don't think anyone would really complain if
intermediate CAs and root CAs were stored in different
directories/files. That's how Windows has certificates separated out.
Thanks,
Stephen
signature.asc
Description: Digital signature
