Are you storing full chain or eliding the root?

Just curious what the optimal approach is here. Of course TLS servers don't generally serve the root certificate of a chain since clients should already be trusting it.

Are you storing the full chain including the root when you download the certificates (and then only serving the leaf and intermediate(s)?)

Or are you eliding the root when you download the chains and not storing the root at all?

Does your client simply assume the last cert in a chain (when downloading from the ACME server) is the root?

When downloading the certificate (chain) using the cert URL, the root is included at the end of the chain. I'm curious how useful this is in practice.

Which CAs do this? I thought they all only returned the leaf & intermediates.

4 Likes

Let's Encrypt...

For example: https://acme-v02.api.letsencrypt.org/acme/cert/04351fcf70c6c57588dfc6aaf14a9e7aa26d

There's an alt chain that only has 2 certs, but the full chain is provided by default.

No, that last cert is not a self-signed root certificate, it's the cross-signed ISRG Root X1 "intermediate", signed by the root DST Root CA X3.

5 Likes

D'oh, you're right -- when I was decoding PEMs I was mixing my workflows and was reading the output of a different cert that was self-signed (an actual root), and thought it was the output from the PEM I pasted from that link.

2 Likes

Probably also answering your question :stuck_out_tongue: No client probably stores the root :slight_smile:

3 Likes

I normalize the chain and store a reference to it.

I do store roots, but use another mechanism for that since they are not part of the download.

I have an open TODO for inspecting the cert and fetching the root if it is unknown (the url is in "CA Issuers" under "Authority Information Access";).

I'm curious how useful this is in practice.

My main motivation is for testing purposes, with a secondary motivation for private CAs. With testing, the root may be ephemeral (e.g. Pebble) and can be a pain to hook into. With private CAs, I'd rather just have it ready for me during troubleshooting, as networking/vpn conditions may differ.

Yes, this is overdoing things.

6 Likes

I wouldn't say that.
If doing this make your life/work simpler, then by all means make it simpler!

Done right, there is no such thing as "oversimplification".
Anything that can be made simpler, should be made simpler [period].
-rg305

3 Likes

Not gonna lie. I had to look up the definition of "eliding".

5 Likes

LOL me too!
Especially after I saw it twice - at first encounter I wrote it off as the shpeelckur having gone wonky.

3 Likes

The second time I read the title, I read "Eliding the Root" as "Gleaming the Cube" and had a sensible chuckle.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.