To illustrate what I'm trying to do:
https://www.google.com uses a cert issued by Thawte SGC CA (which in turn is issued by one of the Verisign CAs). It looks like Internet Explorer comes with that issuer cert preinstalled, but Firefox (I'm using 3.5.1) does not. Nevertheless, the browser doesn't complain that the site cert is untrusted, because the Thawte cert gets installed right then and there. So far so good.
I have a server (using Apache) where I'd like to accomplish the same thing. It also uses a cert from the same CA, and I've got it sending the complete chain of trust during the SSL handshake (using the httpd.conf SSLCertificateChainFile directive). But if the intermediate cert isn't already previously imported into Firefox' Authorities keystore, it'll complain that the site cert isn't trusted.
In short, then, my question is: what do I need to do to get the Thawte cert to auto-install, so that the browser will accept the site cert without prompting?
Something with the chain file is screwed up. Apache will send the chain file, which must be signed by a CA that is already trusted by the browser, there's no way to add it. The browser will verify the chain, and allow a cert signed by the chain if the chain is successfully verified.
Thawte should have instructions and ready made chain files for you to install on their support pages.
I believe you need to put the CA root certificate on the server, same place as the server cert.