Description
Hello,
Looking at
Line 115 in 41a90a2
seems like it is assumed that CaCerts operation must return only one self-signed certificate. However, RFC 7030 in 4.1.3. CA Certificates Response section (see below) does not limit the returned root certs to one. I have a case where I use HTTPS certificate for my EST server issued by one CA, but another CA will be signing the leaf cert generated by the EST client.
Do I understand the logic correctly here?
A successful response MUST be a certs-only CMC Simple PKI Response,
as defined in [RFC5272], containing the certificates described in the
following paragraph. The HTTP content-type of
"application/pkcs7-mime" is used. The Simple PKI Response is sent
with a Content-Transfer-Encoding of "base64" [RFC2045].The EST server MUST include the current root CA certificate in the
response. The EST server MUST include any additional certificates
the client would need to build a chain from an EST CA-issued
certificate to the current EST CA TA. For example, if the EST CA is
a subordinate CA, then all the appropriate subordinate CA
certificates necessary to build a chain to the root EST CA are
included in the response.