Learn more about these different git repos.
Other Git URLs
In deployments where the CA we're using is a subordinate of another, the CA might provide a dedicated interface for reading its chain, or it might not. If it only provides the chain when issuing certificates (for example, by providing multiple certificates wrapped up in a PKCS#7 signed-data item), we need to be able to sift through that soup, extract the certificate that matches the public key in our request, and sort the rest of the certificates in a suitable chain order.
Metadata Update from @nalin: - Issue set to the milestone: 0.76
With FreeIPA, for instance, the certificates retrieved from the CA include all the certificates added to the domain with 'ipa-cacert-manage install'; so if your FreeIPA CA's is a subordinate CA, you get:
Are you talking about with the -F/-a options to retrieve the CA chain?
I think that is a different issue.
NSS generally wants the entire chain and not just the signing CA, in order for trust to work.
Metadata Update from @rcritten: - Issue close_status updated to: None
Login to comment on this ticket.