Re: SSL server certificate that has an intermediary certificate in the chain

2011/8/1 Howard Chu hyc@symas.com: [...]

If there were indeed anything to be gained by such a feature, it would also need to be implemented on clients. Look around - do any web browsers allow you to isolate CAs like this?

Yes. You can basically isolate CAs into 3 categories (they can interleave): - CAs trusted to issue server certs - CAs trusted to issue email certs - CAs trusted to issue code signing certs

It's utter nonsense.

What is non-sense is having a bag full of CAs for mixed usage. More, you even mix CAs that need to be sent to the client (so it can build a certificate path) with CAs that the server trust (to verify client certs).