Apple's Secure Transport API defines a function, SSLSetCertificate, of which the certRefs parameter is an array of certificates. The documentation states (emphasis added):
You must place in
certRefs[0]aSecIdentityRefobject that identifies the leaf certificate and its corresponding private key. Specifying a root certificate is optional; if it’s not specified, the root certificate that verifies the certificate chain specified here must be present in the system wide set of trusted anchor certificates.
Whilst it says "the root certificate…must be present", it's not clear whether trust chains so found will actually be provided to the SSL peer (albeit it's difficult to think of any other reason for that requirement to exist).
How does one ensure that the full certificate chain (back to a self-signed root, or else a system trust anchor) is provided to the peer?
In particular, must all constituent certificates be included in this
certRefsparameter (or does that have no bearing)?
Background
This question follows an earlier post on ServerFault. Having now RTFS, it's clear that slapd calls
SSLSetCertificatewith only the host's identity certificate and at no stage attempts to furnish Secure Transport with the certificate chain—perhaps that's okay (because Secure Transport is supposed to sort it all out), but I have a hunch this might be the cause of the problem.