Pin Sub CAs while issuing the certificates

Not sure that was the point, as Rudy clearly says sending both.. :man_shrugging:t2: I'll leave it at this..

1 Like

I prefer to teach a man to fish over just handing out fish.
The "spark" was to lead them think/test/learn/solve.

If the unit does require the intermediate cert, then that is a problem.
But... if it can be fed both intermediates, then either cert path would work.

1 Like

How? Because the certificate is ultimately signed by just one of them. Sending a useless intermediate too doesn't make the fact that the server is trusting the incorrect certs go away. If a good intermediate in the chain doesn't work, why would sending an incorrect intermediate too matter at all?

1 Like

That is not done from the server.
It gets done however the device allows:

My thought-provoking comment was to do just that provoke thought; Which might lead to testing which could lead to learning and ultimately lead to solving the problem.

1 Like

@ashuec90 maybe I am missing something, but why not just the Trusted Root Anchor Certificates?


Try pinning both.

1 Like

If “the device” doesn’t need a publicity trusted CA, consider setting up a dedicated private CA by your organization. Then you have total control and ease the reconfiguring of devices as you know all the pieces and make them deterministic.