Open achuchev opened 4 years ago
I had mistakenly assumed the /cacerts
operation was just for receiving the certificates relating to issued certificates to EST clients. However, I now see from section 4.1.1...
The EST client uses the /cacerts response to establish an Explicit Trust Anchor database for subsequent TLS authentication of the EST server.
So, further work would be needed to support this functionality. We are not actively working on this protocol at the moment, so the best approach is to open a pull request which we can review and merge.
@dmjones Thanks for the quick response!
Hello,
Looking at https://github.com/thales-e-security/estclient/blob/41a90a297bd347fb5029dc39eeee2745e55852e1/utils.go#L115 seems like it is assumed that CaCerts operation must return only one self-signed certificate. However, RFC 7030 in 4.1.3. CA Certificates Response section (see below) does not limit the returned root certs to one. I have a case where I use HTTPS certificate for my EST server issued by one CA, but another CA will be signing the leaf cert generated by the EST client.
Do I understand the logic correctly here?