I'm not 100% familiar with all the concepts related to Certificate Chains, so please bear with me
Long story short: I'd like to generate a staging certificate that is issued from a staging root CA cert that is not expired? Is that possible? If so, any suggestions?
Here's the full story:
My ultimate goal is to use Let's Encrypt Staging certificates to test a custom software command line tool.
jetstack/cert-manager in kubernetes to generate tls certificates for a nginx ingress. I configured a
ClusterIssuer to use Let's Encrypt staging environment.
This worked great - I see that the certificates are provisioned and correctly associated to the ingress.
However, the custom cli tool that I'm testing is very picky (as expected). The certificate generated by the CertIssuer shows that it was issued by
(STAGING) Doctored Durian Root CA X3, and because that certificate expired on
1/30/21, 9:01:15 AM EST, the cli tool (correctly) shows an error message of
So far, so good, the custom cli is working as expected
But now, I'd like to prove that the cli tool can connect to staging cert if the root cert is not expired.
So, here's my question:
The certificate generated from Let's Encrypt appears to be Issued from the intermediate
(STAGING) Artificial Apricot R3, which is issued from
(STAGING) Doctored Durian Root CA X3
After reading thru this forum, I understand that there is an alternate chain that can be used? If I understand correctly, I think it should be possible to generate a cert issued from
(STAGING) Pretend Pear X1 rather than from
(STAGING) Doctored Durian Root CA X3?
I think it should be possible to configure the
Preferred Chain ? But I'm not sure what value to set
preferredChain to? I've found a few forum posts and tried a few values but none of them seemed to work.
So, ideally, I'd like to generate a staging certificate that is issued from a staging root CA cert that is not expired? Is that possible? If so, any suggestions?
Here's the yaml I use for the kubernetes Cert issuer:
# Prod: https://acme-v02.api.letsencrypt.org/directory
# Staging: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
# Name of a secret used to store the ACME account private key
# Enable the HTTP-01 challenge provider