Content from caIssuers URLs


Is there any standard that governs the content of responses from caIssuers URLs?

I notice that LE’s certs put in a URL ( that returns a certificate; however, the that intermediate cert has a URL for a .p7c payload (from IdenTrust), not an X.509 cert.

I’ve looked at caIssuers returns from a couple other CAs, and they all have X.509.

Is IdenTrust just an outlier here? Are there other formats to look out for? And, especially, is there any standard that governs which formats can and can’t be sent as payloads to these URLs?


I believe both DER and pkcs7 ("‘certs-only’ CMS message") is permitted by the relevant RFC:

Where the information is available via HTTP or FTP, accessLocation
MUST be a uniformResourceIdentifier and the URI MUST point to either
a single DER encoded certificate as specified in [RFC2585] or a
collection of certificates in a BER or DER encoded “certs-only” CMS
message as specified in [RFC2797].


Thanks! Sorry, I thought I checked the RFC, but I must have missed that.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.