So after playing around with this further and using the openssl client to see what is coming back it's still not working. For some reason the chain hierarchy isn't coming through to the client. Even with openssl client it can see there are three certificates but the one thing that stands out for me is that there is a line in the response saying "No client certificate CA names sent" which chimes with what I'm seeing on the Chrome side which is that the certificate itself is valid but there's no hierarchy that allows the certificate to become authorised.

Any ideas with this? I'm totally stumped - especially because I've dealt with 2 certificate set ups before with absolutely no problems once I realised I needed to concatenate them...

For what it's worth - this is the output of openssl client (obfuscated)

Cheers
ajfisher


CONNECTED(00000003)
depth=3 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
verify return:1
depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
verify return:1
depth=1 /C=US/O=Thawte, Inc./CN=Thawte SSL CA
verify return:1
depth=0 /C=AU/ST=Victoria/L=North Melbourne/O=My Bizg/OU=Marketing/CN=my.domain.com
verify return:1
---
Certificate chain
0 s:/C=AU/ST=Victoria/L=North Melbourne/O=My Biz/OU=Marketing/CN=my.domain.com
i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
1 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
2 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
.. SNIP ..
-----END CERTIFICATE-----
subject=/C=AU/ST=Victoria/L=North Melbourne/O=My Biz/OU=Marketing/CN=my.domain.com
issuer=/C=US/O=Thawte, Inc./CN=Thawte SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3687 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 87D1AEB1E1625530ACACB0E88458C0AB310A4C94A2DAA8E5F9F7C333747FBD2D
Session-ID-ctx:
Master-Key: ... SNIP ...
Key-Arg : None
Krb5 Principal: None
Start Time: 1307404193
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read:errno=0