SSL/TLS question

[Craig Ringer]

Joe Rhett wrote:
>>I expect that'd do it; you'll still need to install the CA certificate 
>>in browsers, though. I have a similar setup, but with a CA cert 
>>generated in-house.
> 
> No you don't.  The server hands out both certificates during the
> connection process. It just works ;-)

That appears to depend on the client - it certainly doesn't work with 
Mozilla, and Eudora needs some manual steps that the users seem to have 
trouble with. OTOH, it _shouldn't_ work automatically; the cert is no 
more inherently trustworthy than any random one somebody has generated.

> In your case it sounds like you aren't using a certificate signed by any
> known authority.

Indeed.

>  He is - he's just using one signed by someone who was
> signed by a known authority.  Nothing needs to be installed in the
> browser.

OK - I must've misunderstood his initial email.

Craig Ringer