On 05/30/18 10:41, A. Schulze wrote:
In the third case an administrator has to provide files with certificates. And these files are required (by best practice)
Do you have any pointers to support such a strong statement?
to include any chain-certificates excluding the self signed root.
Our upstream CA surely does not ship the signed certs that way. It could, and that would support your statement - but it doesn't.
There is no reason to only provide a certificate via ssl_cert = </path/to/file
and an new/other place to provide intermediates.
Yes, there is. It saves manipulating the signed server cert, and mirrors the fact that the intermediate CA certs have a longer lifetime than the server cert.
Cheerio, hauke
-- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut für Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344