[users@httpd] SSLVerifyDepth and Intermediate CAs

["Rhoden, Barret J. Mr. CN (NGIT) HQ USAREUR/7A CIO G6" <ba...@us.army.mil>]

hi - 

when using certificate authentication for clients, does the certificate in
the approved SSLCACertificatePath (or List) have to be a self-signed
certificate?

i would like to be able to explicitly trust specific, intermediate CAs,
instead of the root CA and every intermediate CA that root CA signs.  i
tried setting SSLVerifyDepth to 1, and put the intermediate CA's cert in the
appropriate path, but the only way apache seems to accept a client
certificate is if the depth reaches the root cert, and the root cert is in
the path.

if this is working as intended, can someone (me?) add a note to the
documentation saying that (unless it was supposed to be intuitively obvious
to the casual observer).  if not, what pitfalls might i have stumbled into?

thanks in advance,

barret