# Root Certificate Issued Non-CA Leaves

This health check ensures a proper Certificate Authority (CA) hierarchy is followed by verifying that leaf certificates are not issued directly by a root CA. Ideally, a root CA should only sign an intermediate CA, and leaf certificates should be issued by intermediates.

#### Health Check Name: `root_issued_leaves`

#### Accessed APIs

| Method | Endpoint                  | Description                                              |
| ------ | ------------------------- | -------------------------------------------------------- |
| LIST   | `/issuers`                | Lists all configured issuers                             |
| READ   | `/issuer/:issuer_ref/pem` | Retrieves PEM-encoded certificate for a specific issuer  |
| LIST   | `/certs`                  | Lists issued certificates                                |
| READ   | `/certs/:serial`          | Reads details of a specific certificate by serial number |

#### Configuration Parameters

| Parameter        | Type | Default | Description                                                                 |
| ---------------- | ---- | ------- | --------------------------------------------------------------------------- |
| `certs_to_fetch` | int  | `100`   | Number of leaf certificates to inspect for root-signed non-CA leaf issuance |

#### Health Check Results

| Condition                                             | Status      | Description                                          |
| ----------------------------------------------------- | ----------- | ---------------------------------------------------- |
| No non-CA leaf certificates signed by a root found    | **OK**      | Indicates a correct CA hierarchy is in use           |
| One or more non-CA leaf certificates signed by a root | **Warning** | Root CAs should not directly issue leaf certificates |

#### **Recommended Actions** 

* Restrict usage of the following APIs on the root CA: `sign`, `sign-verbatim`, `issue`, and ACME.
* Create an intermediate issuer in a separate mount.
* Have the root CA sign the intermediate issuer.
* Issue all future leaf certificates using the intermediate issuer.
* Reissue existing leaf certificates that were directly signed by the root using the intermediate CA.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.enclaive.cloud/virtual-hsm/troubleshooting/root-certificate-issued-non-ca-leaves.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.