On Mar 7, 2013, at 9:37 AM, Ian Pilcher wrote:
> On 03/07/2013 08:28 AM, Tom Lane wrote:
>> Maybe I'm missing something, but I don't see why you'd expect a
>> different result. That leaves you with no way to validate the server's
>> own certificate.
>
> I don't follow. Why would the server need to validate it's own
> certificate?
What Tom said works for me. Here is a page that gives an example and I think it demonstrates that the root CA does not
alloweverybody in the gate, the chain has to be in place:
http://stackoverflow.com/questions/1456034/trouble-understanding-ssl-certificate-chain-verification
You can use the "openssl verify" command to test that the root is not wide open on it's own.