In deployments where the CA we're using is a subordinate of another, the CA might provide a dedicated interface for reading its chain, or it might not. If it only provides the chain when issuing certificates (for example, by providing multiple certificates wrapped up in a PKCS#7 signed-data item), we need to be able to sift through that soup, extract the certificate that matches the public key in our request, and sort the rest of the certificates in a suitable chain order.
Metadata Update from @nalin:
- Issue set to the milestone: 0.76
to comment on this ticket.