Alan DeKok wrote:
Andrew Hood wrote:
Pardon me if I've missed something, but as far as I can tell the server cert isn't authorised to sign client certs, so I can't see how it could work. The CA can sign client certs.
There can be multiple levels of CA's. Verisign, your company, the local division, etc. This is all specifically allowed, and required, by SSL.
No argument there.
My suggestion was that maybe what's needed was to mark the server cert with the CA properties. The server cert would then be an intermediate CA, which is Just Fine.
That's what Sergio seemed to be getting at in changing with the Makefile to have a CA rather than the server sign the client cert. Is that the better way? Is the answer to give the server the right to sign the cert, and if so how you do it so as to complete the root CA->server->client chain? However, there may be multiple servers, each with its own cert. Why should a client cert be signed by one server when it may be used with other servers? -- REALITY.SYS not found: Universe halted.