You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The certs coming back from the well-known bundle aren't ordered in the spec. Showing the first cert in there might not be useful.
The real value to show is to look through the certs in the bundle, order the chains by the signer, and find the cert/certs that is validating the server. Then show the highest cert in that chain (root, intermediate, leaf) or show the entire chain from root->leaf.
Also if cross signing has occurred there may be multiple valid chains.
Normally to deal with this we can rely on golang's x509 capabilities to construct the chains and validate. However, that only provides us a yes/no answer afaik.
The certs coming back from the well-known bundle aren't ordered in the spec. Showing the first cert in there might not be useful.
The real value to show is to look through the certs in the bundle, order the chains by the signer, and find the cert/certs that is validating the server. Then show the highest cert in that chain (root, intermediate, leaf) or show the entire chain from root->leaf.
Also if cross signing has occurred there may be multiple valid chains.
Normally to deal with this we can rely on golang's x509 capabilities to construct the chains and validate. However, that only provides us a yes/no answer afaik.
Originally posted by @andrewpmartinez in #454 (comment)
The text was updated successfully, but these errors were encountered: