certigo
certigo copied to clipboard
Better trust chain output
Today, we dump all built trust chains.
That could be improved in a few ways:
- [ ] Don't print all of them out unless in --verbose
- [ ] Warn about un-needed intermediates (but be careful; they may be needed with other trust stores)
- [ ] Warn about un-needed roots served in trust chains
- [ ] some support for pinning leafs / intermediates
I would even fail the validation if an intermediate is missing from the presented chain. Today it validates if the intermediate is present in the CA bundle (which is wrong).