I can parse the cert just fine; what I need to know is which part of the cert I can reliably tell a piece of code to check.
The two ways that occur to me are:
-
regexp on some part of the issuer’s DN (commonName? organizationName?)
-
Look for OID 1.3.6.1.4.1.44947.1.1.1 in the certificate policies extension.
Option 1 makes me concerned that “Let’s Encrypt” may become “Let’s Encrypt” or “Lets Encrypt” (i.e., switch out straight-quote for UTF-8 rsquo, or get rid of it entirely).
Options 2 … well, I don’t know how permanent that OID is.
Thoughts?