cert bootstrap bug? (was Re: definitely, I have a problem with eap-tls)

[Alan DeKok]

Andrew Hood wrote:
> Pardon me if I've missed something, but as far as I can tell the server
> cert isn't authorised to sign client certs, so I can't see how it could
> work. The CA can sign client certs.

  There can be multiple levels of CA's.  Verisign, your company, the
local division, etc.  This is all specifically allowed, and required, by
SSL.

  My suggestion was that maybe what's needed was to mark the server cert
with the CA properties.  The server cert would then be an intermediate
CA, which is Just Fine.

  Alan DeKok.