Root Certificate Issued Non-CA Leaves

Perform the recommended actions that ensures a proper Certificate Authority (CA) hierarchy is followed by verifying that leaf certificates are not issued directly by a root CA .

This health check ensures a proper Certificate Authority (CA) hierarchy is followed by verifying that leaf certificates are not issued directly by a root CA. Ideally, a root CA should only sign an intermediate CA, and leaf certificates should be issued by intermediates.

Health Check Name: root_issued_leaves

Accessed APIs

Method
Endpoint
Description

LIST

/issuers

Lists all configured issuers

READ

/issuer/:issuer_ref/pem

Retrieves PEM-encoded certificate for a specific issuer

LIST

/certs

Lists issued certificates

READ

/certs/:serial

Reads details of a specific certificate by serial number

Configuration Parameters

Parameter
Type
Default
Description

certs_to_fetch

int

100

Number of leaf certificates to inspect for root-signed non-CA leaf issuance

Health Check Results

Condition
Status
Description

No non-CA leaf certificates signed by a root found

OK

Indicates a correct CA hierarchy is in use

One or more non-CA leaf certificates signed by a root

Warning

Root CAs should not directly issue leaf certificates

  • Restrict usage of the following APIs on the root CA: sign, sign-verbatim, issue, and ACME.

  • Create an intermediate issuer in a separate mount.

  • Have the root CA sign the intermediate issuer.

  • Issue all future leaf certificates using the intermediate issuer.

  • Reissue existing leaf certificates that were directly signed by the root using the intermediate CA.

Last updated

Was this helpful?