Hi John, > Did you mean that when using rightca, I should have locally installed > the certificate with DN the same as provided for rightca option > otherwise the option is igmored? Yep. You should actually see a warning in the log, saying something like "CA certificate "..." not found, discarding CA constraint". Regards, Tobias