I ran into an issue while working on some tests as I prepare for longer chains - there doesn't seem to be a way to identify the roots. (essentially the same situation as in How to get hold of root certificate? · Issue #152 · letsencrypt/pebble · GitHub, but I'm not limited to pebble)
The fullchain file does not contain roots, only the intermediates, as the root is not needed by end-users (website admins and visitors) as it is in a browser/os/app trust store. Pebble now has a feature to expose the root(s). Boulder does not support this, and most people seem to be copying from computer/browser trust stores.
Does anyone have good strategies for doing the following detecting / identifying roots ? it seems like the only real option is to code the production "expected" roots in my client, and interrogate pebble for them during tests. This is less than ideal, because it requires a code update if a new root is deployed, as I wold essentially be operating a Trust Store. I would prefer not to do that, I just want to validate the certificate chain.
Upon downloading a certificate, I need to analyze the chain and make sure everything validates. (This is as much to ensure against our own bugs than distrusting the ACME server.) Most libraries and utilities require the root to be identified for this.
We need this info to make informed decisions on chains.
- How to get the Boulder Root-CA certificate (in testing or "production")? - #21 by mnordhoff
- where has the test root ca gone? · Issue #4882 · letsencrypt/boulder · GitHub
- How to get hold of root certificate? · Issue #152 · letsencrypt/pebble · GitHub
- Add root certificate while generating certificate files · Issue #243 · fszlin/certes · GitHub