Background: Apache 2.4 (server) and Windows 7 Internet Explorer (client) using PKI; both machines are on a "dark network" (no internet access).
Question: In the SSL handshake, how does the client receive the intermediate CA? Can't it use the Apache-provided one?
My attempt:
Apache serves (1) server's certificate, (2) intermediate CA, (3) root CA to the client
Client attempts to verify the chain via internet, fails, checks locally
Troubleshooting: I have run a Fiddler and netsh trace, and the client tries--though obviously fails--to contact the intermediate CA authority. Ultimately, the SSL connection succeeds. I'm trying to understand how the client verifies the intermediate CA without internet access and without a locally saved certificate.
