We should serve our CA cert at a known URL for clients to get them.
This can be used to migrate root signing certs, and to act as an distribution point for CA + intermediate bundles.
Suggested would be a known endpoint /ca.crt or similar, that distributes only the CA cert.
Then we could have /ca.bundle.crt that distributes the whole root ca + all trusted intermediate certs
And last, /{sha256sum}/ca.crt that gets a bundle of root ca +only that intermediate certificate (not all others)
We should serve our CA cert at a known URL for clients to get them.
This can be used to migrate root signing certs, and to act as an distribution point for CA + intermediate bundles.
Suggested would be a known endpoint /ca.crt or similar, that distributes only the CA cert.
Then we could have /ca.bundle.crt that distributes the whole root ca + all trusted intermediate certs
And last, /{sha256sum}/ca.crt that gets a bundle of root ca +only that intermediate certificate (not all others)