Craig Ringer <craig@postnewspapers.com.au> writes:
> On 26/05/10 07:37, Tom Lane wrote:
>> Craig Ringer<craig@postnewspapers.com.au> writes:
>>> I do *not* have the CA cert concatenated onto server.crt. I'll have to
>>> see if that works, because that's how it's usually done with OpenSSL.
>>
>> Hmm. That case doesn't work for me; what does work is including the
>> intermediate cert in the server's root.crt.
> Sorry, that was my poor choice of words.
> s/the CA cert/the full certificate chain/g
What I meant to question is *which* file the intermediate CA certs
go into. It doesn't seem tremendously sensible to me to put them into
the server.crt file, since that's intended to define exactly one cert,
namely the one identifying the server. On the other hand, putting them
into the root.crt file implies that the intermediate certs are as good
as the real root CA for trust purposes, which might not quite be the
right thing either.
regards, tom lane