How to get certificate-only without root chain?

Is there a way with ACME, at the end of the process, to retrieve only the signed certificate without the root certificate chained to it? Some software, like lighttpd, require the certificate + key in one PEM file, and the root in a separate file. It would be nice if I could tweak something like acme_tiny to get only the certificate rather than have the server give me both and have to separate them.

ACME protocol doesn’t give root certificate to client. you mean intermediate certificate?
Certbot gives you fullchain.pem(intermediate+leaf cert), chain.pem (intermediate only), cert.pem (leaf cert only)


Yes, I mean without the intermediate certificate. Is there a way within the ACME v2 protocol on LetsEncrypt to get only the leaf certificate? I do not intend to use certbot, I intend to modify acme_tiny to get what I need if it’s possible. After the final poll, the directory that is returned includes: status, identifiers, authorizations, finalize, certificate, expires. Of those, GETting “certificate” retrieves both the intermediate and leaf. I don’t see anything else in the list that looks like it might work to get just the leaf. I’m hoping there is something I’m missing.

1 Like

You’ve got it exactly right; the protocol provides an end-entity (leaf) certificate plus the chain of intermediates needed to verify it. If you need to slice those up separately, you will want to have your ACME client parse the PEM and spit out the end-entity certificate into one file, and the other certificates (there may be more than one intermediate) into another file. Per the spec, the end-entity certificate will always be the first one.