FWIW, tls_g already has the behaviour that (I think) this ticket asks
for: if you set TLSCertificateFile to a file containing concatenated
server and intermediate certs, it sends the chain of both.
I found that useful in a setup very similar to what Andreas and Michael
describe: slapd with a server certificate issued by an external/public
CA, but trusting only a specific internal CA to authenticate clients.
The comparison to mod_ssl is apt. Note that in recent versions httpd
also supports loading the entire chain from SSLCertificateFile.
Show replies by date