* Andrew Dunstan (andrew@dunslane.net) wrote:
> But it does need to be signed by a trusted signatory. At least in my
> test script (pretty ugly, but shown below for completeness), the
> Intermediate CA cert is signed with the Root cert rather than being
> self-signed as the Root cert is, and so if the server doesn't have
> that root cert as a trusted cert the validation fails.
Ok, good, that's really how it "should" be. As a side-note, I'd be very
curious about a self-signed intermediate cert.. :)
> In case 1, we put the root CA cert on the server and append the
> intermediate CA cert to the client's cert. This succeeds. In case 2,
> we put the intermediate CA cert on the server without the root CA's
> cert, and use the bare client cert. This fails. In case 3, we put
> both the root and the intermediate certs in the server's root.crt,
> and use the bare client key, and as expected this succeeds.
Excellent, that's really how it ought to be and I'm glad you had a
chance to test and verify it.
> So the idea that you can just plonk any Intermediate CA cert in
> root.crt and have all keys it signs validated is not true, AFAICT.
I'm afraid it may have been true once, a while back, but we fixed it.
Thanks!
Stephen