Here is a handy command to find out what CAs are accepted by a website. When your website is configured to require client PKI certificates with the SSLVerifyClient require directive, it will only accept client certificates issued by CAs that you trust as defined in your SSLCACertificateFile directive.
We usually set our up like this:
SSLCACertificateFile /etc/httpd/ssl/ca-bundle.crt
If you want to verify what is in that file for a remote host without going to the server you can run this command from any client. It will simulate a web client and the server tells it what CAs are trusted and it will print them out. Pretty neat!
openssl s_client -showcerts -connect beta.usecobra.com:443 –prexit