Document how to use a non-self-signed certificate

[Toxaris]

We want to use the handin-server with a SSL certificate signed by a certifying authority to increase security and convenience for the status server (no security warnings). This seems to work fine, the only hard part was that the server-cert.pem file needs to contain the whole PEM-format certification chain.

Maybe this could be mentioned in the documentation as an alternative to self-signed certificate?

Or is there some reason not to use this configuration?

[Blaisorblade]

This seems to work fine, the only hard part was that the server-cert.pem file needs to contain the whole PEM-format certification chain.

18 months later, I realized this:

• server side, the server-cert.pem should not include the root of the certificate chain — it's not needed (since the root certificate only matters when it appears in the certificate store), and it's bad practice (mostly because it adds overhead at connection time). When getting this wrong, I think I even got warnings from ssllabs.com's testing service.
• client side, the root should be included, because server-cert.pem is just a certificate store. Trickily, omitting the root certificate will create no problem until you ship to users without configured certificate stores — apparently Windows users. Since the actual error message is by default omitted, this masquerades as "connection failed", so we tried to debug firewall problems.