On Jun 20, 2019, at 5:06 AM, Marco Santantonio <marco.santantonio@unito.it> wrote:
I have one last doubt on the subject. As I said, we use certificates issued by a public CA (Digicert). In the certificates chain that I insert in the certificate_file should i also enter the root CA or, being this public and recognized, do I expect the clients to know it already?
The clients should already know the root CA. It may work if you don't put the root CA into the certificate_file.
Does leaving the CA root in the chain not increase packet exchange with probable longer round-trip times and therefore slower authentications?
Leaving the root CA in the chain will likely add one more packet exchange. It may slow down authentication slightly. But in practice, this isn't much of an issue. If you enable fast session resumption, then 99% of authentications will use that, and will bypass the certificate exchange completely. And, leaving the root CA in there may help in some cases. I usually recommend being safe. Leave the root CA there, and enable fast session resumption. Alan DeKok.