Ian Pilcher <arequipeno@gmail.com> writes:
> BTW, you can't just "list the certs of the intermediate CAs you do
> trust"; you have to put the root CA certificate into root.crt in order
> for OpenSSL to build a complete chain,
I believe you are mistaken. OpenSSL just wants a chain to one of the
certs you've told it to trust.
But in any case, Stephen is right that intermediate certs aren't meant
to be used in the way you want. They're just a mechanism for a CA to
use for its own purposes.
regards, tom lane