Am 09.09.2014 um 08:26 schrieb Adam Williamson: > certificate_list > This is a sequence (chain) of certificates. The sender's > certificate MUST come first in the list. Each following > certificate MUST directly certify the one preceding it. Because > certificate validation requires that root keys be distributed > independently, the self-signed certificate that specifies the root > certificate authority MAY be omitted from the chain, under the > assumption that the remote end must already possess it in order to > validate it in any case sure? IMHO normally i bild a PEM file for httpd over years with cat intermediate.pem ca.pem cert.pem key.pem > your.pem https://www.ssllabs.com/ssltest/ also says that's fine https://www.ssllabs.com/ssltest/analyze.html?d=secure.thelounge.net well, i happily admit that i did it wrong and rebuild the PEM-files while the order has some logic for me * "ca.pem" is sigend by "intermediate.pem" * first load "intermediate.pem" to verify "ca.pem" against it * at the end the server cert signed by the chain before
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
