Am 09.09.2014 um 08:26 schrieb Adam Williamson:
certificate_list This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case
sure?
IMHO normally i bild a PEM file for httpd over years with cat intermediate.pem ca.pem cert.pem key.pem > your.pem
https://www.ssllabs.com/ssltest/ also says that's fine https://www.ssllabs.com/ssltest/analyze.html?d=secure.thelounge.net
well, i happily admit that i did it wrong and rebuild the PEM-files while the order has some logic for me
* "ca.pem" is sigend by "intermediate.pem" * first load "intermediate.pem" to verify "ca.pem" against it * at the end the server cert signed by the chain before