Current status

[Hal Murray]

>> I'm calling that "cert and other certs" a chain.
> Except that is not the definition of a cert full chain file.
> Please don't make up new terms for long standing, well settled, concepts.

I didn't call it a "full" chain file.

I pulled the term "chain file" from the API.  If you have a URL for a good 
glossary, please share it.

>From man SSL_CTX_use_certificate_chain_file
       SSL_CTX_use_certificate_chain_file() loads a certificate chain from
       file into ctx. The certificates must be in PEM format and must be
       sorted starting with the subject's certificate (actual client or server
       certificate), followed by intermediate CA certificates if applicable,
       and ending at the highest level (root) CA.

       SSL_CTX_use_certificate_chain_file() should be used instead of the
       SSL_CTX_use_certificate_file() function in order to allow the use of
       complete certificate chains even when no trusted CA storage is used or
       when the CA issuing the certificate shall not be added to the trusted
       CA storage.

As far as I can tell, you don't need the root cert when feeding the chain to a 
TLS server.  I think the TLS server sends the chain to the TLS client.  The 
client already has the root cert so it isn't needed in normal use.  It might 
be handy when checking things with command line tools.


-- 
These are my opinions.  I hate spam.