From 2230d96cf333adbc23854a20bc4bf4d04947e7fd Mon Sep 17 00:00:00 2001
From: Nate Klingenstein <ndk@internet2.edu>
Date: Mon, 22 Sep 2003 05:38:21 +0000
Subject: [PATCH] Added information about ca-bundle.crt for origins.

---
 doc/InQueue.html | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/doc/InQueue.html b/doc/InQueue.html
index 6fcb6a4..2535623 100644
--- a/doc/InQueue.html
+++ b/doc/InQueue.html
@@ -229,6 +229,18 @@
 						HEPKI Test CA</a></li>
 					<li><a href="http://www.cren.net/crenca/">CREN CA</a></li>
 				</ul>
+				
+				<p>For origins, OpenSSL must also be configured to use the
+				appropriate set of trusted roots for the issuance of SSL
+				certificates that Shibboleth trusts.  For InQueue, this list may
+				be obtained from <span
+				class="fixedwidth">http://wayf.internet2.edu/InQueue/ca-bundle.
+				crt</span>.  This list should then be copied for <span
+				class="fixedwidth">mod_ssl</span>, which will typically need to
+				be to <span
+				class="fixedwidth">/conf/ssl.crt/ca-bundle.crt</span>.  This
+				list of CA's is <b>not</b> rigorous nor secure and may contain
+				CA's which have no level of assurance or are questionable.</p>
 			</blockquote>
 
 			<h4>2.4  Attributes</h4>
-- 
2.1.4