cert bootstrap bug? (was Re: definitely, I have a problem with eap-tls)

[Sergio]

Andrew Hood escribió:
> Alan DeKok wrote:
>   
>> Andrew Hood wrote:
>>
>>     
>>> Pardon me if I've missed something, but as far as I can tell the server
>>> cert isn't authorised to sign client certs, so I can't see how it could
>>> work. The CA can sign client certs.
>>>       
>>   There can be multiple levels of CA's.  Verisign, your company, the
>> local division, etc.  This is all specifically allowed, and required, by
>> SSL.
>>     
>
> No argument there.
>
>   
>>   My suggestion was that maybe what's needed was to mark the server cert
>> with the CA properties.  The server cert would then be an intermediate
>> CA, which is Just Fine.
>>     
>
> That's what Sergio seemed to be getting at in changing with the Makefile
> to have a CA rather than the server sign the client cert. Is that the
> better way?
>
> Is the answer to give the server the right to sign the cert, and if so
> how you do it so as to complete the root CA->server->client chain?
>
> However, there may be multiple servers, each with its own cert. Why
> should a client cert be signed by one server when it may be used with
> other servers?
>
>   
I wonder the same questions, but nobody wants to reply. I think that 
issuing certs with server private key is better for crl managing, 
because each server manage its own crl. If somebody sign client certs 
with ca private key, the authority must provide the crl to the servers. 
First solution is more comfortable i think, but really i don't know 
sure. I'm not the developer, just a newbie thinking. Thinking is good.