* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> What I meant to question is *which* file the intermediate CA certs
> go into. It doesn't seem tremendously sensible to me to put them into
> the server.crt file, since that's intended to define exactly one cert,
> namely the one identifying the server. On the other hand, putting them
> into the root.crt file implies that the intermediate certs are as good
> as the real root CA for trust purposes, which might not quite be the
> right thing either.
root CA's are self-signed. intermediate CAs are not. They typically
both go into directories/files like 'cacerts' (eg: Strongswan expects
them in the cacerts directory). Most systems (uh, all?) will validate
all the way up to a self-signed cert- intermediate CAs are only used as
a mechanism to get to the root CA. I don't believe there's any
confusion about intermediate CAs being accepted as root CAs just because
they're in the same file or directory.
All that being said- I don't think anyone would really complain if
intermediate CAs and root CAs were stored in different
directories/files. That's how Windows has certificates separated out.
Thanks,
Stephen