New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to get hold of root certificate? #152
Comments
For me, this is a general issue with ACME (v2). The root certificate is sometimes needed; for ELB/AWS (as @jderusse pointed out here), or for nginx OCSP verification enabled with ssl_trusted_certificate set. |
Hi @felixfontein, You raise a good point about requiring the root certificate to perform an end-to-end validation of the issued certificates.
I think providing it by GET would make sense. I think writing it to disk would be more complicated and we already know ACME clients are set up to GET resources from the ACME API endpoint. Maybe something as simple as a For the larger question of how ACME should handle this case I think a new thread on the ACME WG mailing list is the best bet. Given that the draft is in last call and this is a fairly minor corner case I don't think there will be considerable appetite for fixing it in the current draft but I think starting the discussion is a good idea. |
Yes, something like I definitely don't want the ACME spec delayed because of this :) But it's definitely something which should be solved eventually. I'll start a discussion at some point. |
Wouldn't the directory/meta structure be a good place for it? The root certificate could be added there as binary, or as an URL where it is available for download. |
@shred I think it is a very bad idea for a real CA (for Pebble it can be fine), as different certificates could use a different root. If you embed a single root in directory/meta, it can be pretty unclear for which certificates this root is valid and for which it isn't (without going through the chain). So this should be something provided per order (or per finalization, same as the intermediate certificate). |
I think for now keeping it outside the |
Provides a `GET` endpoint to retrieve the CA's root certificate. Fixes #152.
As part of integration tests, I'm verifying the generated certificate chain. However, since #148, I also need the root certificate to validate the chain.
Is there a way to get hold of it? (I think there currently isn't.)
It would be really nice to be able to get the root certificate from somewhere (i.e. Pebble writes it to disk, or provides an endpoint where it can be read with a
GET
).(ACME itself doesn't provide a way to retrieve the root certificate for an order AFAIK; is that correct? If not, that would also solve this ;-) )
The text was updated successfully, but these errors were encountered: