Andrew Devenish-Meares adevenis@une.edu.au writes:
We're currently starting to migrate our certificates to AusCERT, as we get a good deal as a University. As AusCERT is an intermediate CA, so we need to use a chain to get this to work. [...] This means that we need to install the intermediate certificate on clients that connect to our LDAP using SSL or TLS. Admittedly this isn't vastly different to what we need to do now in supplying our own CA.
You have to put the chain leading to the well-known root CA into your server certificate file:
-----BEGIN CERTIFICATE----- [your server cert] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [the intermediate certificate (issuer of your server cert)] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [possible other intermediate certificate (issuer of your intermediate cert)] -----END CERTIFICATE-----
You may include the well-known root CA at the end (as the final issuer), but that is not necessary, as that certificate must be present and trusted on the client systems anyway.