Protocol method to get leaf certificate only

Version 1 of the ACME protocol returned only a leaf certificate and required you to manually chain it as required. Version 2 of the ACME protocol as implemented by LetsEncrypt only allows you to retrieve the leaf certificate chained with the intermediate certificate in the same output. However not all software takes certificates where the leaf and intermediate are in the same file.

The protocol drafts I have seen contemplate the possibility of other certificate formats, and the “official” client obviously contemplates the need for only a leaf certificate since it is capable of separating the leaf from the intermediate in different files. It would be beneficial to make the LetsEncrypt implementation able to handle this so that clients didn’t have to have certificate splitting logic. I submit that it actually makes more sense for the client to be able to get the certificates it requires in the order that it requires them without the protocol dictating which certificates should be chained in what order.

Thanks for the input, @Kurt! We’ve considered this a few times, and concluded that the best approach is to offer one simple format the offers what most clients need, and allow clients to parse that into whatever format they need, rather than trying to provide every alternate format that we anticipate being needed.

1 Like