On Thu, 9 Aug 2012 11:33:48 +1000 David Gwynne <l...@animata.net> wrote:
> i believe as an ssl client you can add intermediate certs > to /etc/ssl/cert.pem and they'll be used to validate the endpoint. I do believe this would allow me as a client to validate certs signed by the intermediate certs with no problem, and in fact I seem to recall actually doing the same thing before with self-signed certs for my own use, but my hesitation with this method is that those intermediate certs will then be trusted unconditionally, since I've just promoted them to root status by appending them to /etc/ssl/cert.pem. I thought there was a more or less standard place to cache intermediate certs without implying absolute trust in them, so that any validation would still be required to proceed all the way up to a root in the original /etc/ssl/cert.pem. > if you're an ssl server and your program doesnt let you specify a > chain, you can just cat them on the end of the crt. eg, i do > something like the following when configuring certs in nginx: > > root@host /etc/ssl# cat hostname.crt.201208 ca-bundle > > hostname.chain.201208 root@host /etc/ssl# ln -s hostname.chain.201208 > hostname.crt > > and then i configure nginx to use the /etc/ssl/hostname.crt symlink > to get the full chain. > > dlg That helps clear things up on the server side for me, and thanks for the idea of using nginx, because I should hope it's more flexible than Apache's mod_proxy, which I'm trying to use now. :-) --Justin