I suppose my question boils down to "How can I validate certificates from SSL servers that fail to send intermediate certificates?"
There seem to be quite a few such servers out there, including some I have little choice but to use, and OpenSSL apparently doesn't like to validate a certificate if the intermediate certificates are not present. I tried this with OpenBSD's Apache httpd, and I had to install an intermediate certificate chain file, and use a directive like SSLCertificateChainFile /etc/ssl/sub.class1.server.ca.pem in httpd.conf in order for my certificate to validate with a web browser in OpenBSD. The default httpd.conf, which is rather verbosely self-documenting, does not mention this directive. My research leads me to believe that the tool "c_rehash", which is not installed by default, will allow me to put intermediate certificates like this somewhere OpenSSL can use them for validating certificates from servers that do not present a complete chain all the way to a certificate directly signed by one of the roots. Is there an easier or "right" way to do this? I feel like I must be doing something wrong when I'm driving myself bananas with all this technical fussing around just to validate common certificates. Thanks, --Justin