On 26/05/10 07:37, Tom Lane wrote:
> Craig Ringer<craig(at)postnewspapers(dot)com(dot)au> writes:
>> I do *not* have the CA cert concatenated onto server.crt. I'll have to
>> see if that works, because that's how it's usually done with OpenSSL.
>
> Hmm. That case doesn't work for me; what does work is including the
> intermediate cert in the server's root.crt.
Sorry, that was my poor choice of words.
s/the CA cert/the full certificate chain/g
It is the intermediate certs that the client may not have that are the
important ones. 'the CA' I was referring to was the _intermediate_ CA,
eg the company sub-CA; I just needed to be (a lot) clearer about it.
--
Craig Ringer