Root Certificate Issued Non-CA Leaves
Perform the recommended actions that ensures a proper Certificate Authority (CA) hierarchy is followed by verifying that leaf certificates are not issued directly by a root CA .
This health check ensures a proper Certificate Authority (CA) hierarchy is followed by verifying that leaf certificates are not issued directly by a root CA. Ideally, a root CA should only sign an intermediate CA, and leaf certificates should be issued by intermediates.
Health Check Name: root_issued_leaves
root_issued_leavesAccessed APIs
LIST
/issuers
Lists all configured issuers
READ
/issuer/:issuer_ref/pem
Retrieves PEM-encoded certificate for a specific issuer
LIST
/certs
Lists issued certificates
READ
/certs/:serial
Reads details of a specific certificate by serial number
Configuration Parameters
certs_to_fetch
int
100
Number of leaf certificates to inspect for root-signed non-CA leaf issuance
Health Check Results
No non-CA leaf certificates signed by a root found
OK
Indicates a correct CA hierarchy is in use
One or more non-CA leaf certificates signed by a root
Warning
Root CAs should not directly issue leaf certificates
Recommended Actions
Restrict usage of the following APIs on the root CA:
sign,sign-verbatim,issue, and ACME.Create an intermediate issuer in a separate mount.
Have the root CA sign the intermediate issuer.
Issue all future leaf certificates using the intermediate issuer.
Reissue existing leaf certificates that were directly signed by the root using the intermediate CA.
Last updated
Was this helpful?