Alternate certificate chains and TLSA

Hi there,

I have a feature request regarding the "preferred chain" feature:

I think it would be nice if my LE client could ask for a signature chain that includes a signature for a given issuer - either as a self-signature, or as signed from another authority.

To illustrate the use case: I would like to be able to use a TLSA record that would pin my certificate chain to the ISRG Root X1 issuer. I can currently ask for a certificate chain that goes through the ISRG Root X1, and (currently) this will serve me a certificate chain that is rooted at X1. But, this is not sufficient for TLSA purposes - I need a chain that includes a signature for the X1 certificate - I would like to be served a chain that includes either the DST Root CA X3 signature for the ISRG Root X1, or, maybe when the X3 signature expires, a chain that includes the ISRG Root X1 self-signature.

The benefit of pinning a TLSA record to the ISRG Root X1 is that it would work for quite a long time - I wouldn't have to worry about let's encrypt switching intermediate certificates, etc...

It is currently possible to build the desired certificate chain in post-processing, but I think it would be better if the server and/or the let's encrypt clients could provide it directly ?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.