Not sure that was the point, as Rudy clearly says sending both.. 
I'll leave it at this..
1 Like
I prefer to teach a man to fish over just handing out fish.
The "spark" was to lead them think/test/learn/solve.
If the unit does require the intermediate cert, then that is a problem.
But... if it can be fed both intermediates, then either cert path would work.
1 Like
How? Because the certificate is ultimately signed by just one of them. Sending a useless intermediate too doesn't make the fact that the server is trusting the incorrect certs go away. If a good intermediate in the chain doesn't work, why would sending an incorrect intermediate too matter at all?
1 Like
That is not done from the server.
It gets done however the device allows:
My thought-provoking comment was to do just that provoke thought; Which might lead to testing which could lead to learning and ultimately lead to solving the problem.
1 Like
@ashuec90 maybe I am missing something, but why not just the Trusted Root Anchor Certificates?
3 Likes
Try pinning both.
1 Like
If “the device” doesn’t need a publicity trusted CA, consider setting up a dedicated private CA by your organization. Then you have total control and ease the reconfiguring of devices as you know all the pieces and make them deterministic.
5 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.