* When using a certificate authority, it is sufficient for the
clients to have the CA's signing certificate (as opposed to the
server's actual certificate). This is the certificate that the
CA uses to sign the certificates that it issues. If the client
has the CA's signing certificate then it also trusts any
certificates which are signed using that certificate. In this
way, when the server's certificate expires, and it obtains a new
certificate from the CA, the new certificate will be
automatically trusted by clients without having to obtain a new
certificate from the server.
Ah, that makes alot of sense. Where would the client look to find
the CA's certificates? I see there's an /etc/pki/nssdb that ships
with nspr, but it appears to be empty (no certs at all, according
to certutil -L). Are they installed somewhere else?