[Bug]: Root and intermediate certificates are not available at the HTTP endpoint #2251
Description
Steps to Reproduce
curl http://<step ca url>/roots.pem
404 page not foundcurl https://<step ca url>/roots.pem
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----Your Environment
step-ca -v
Smallstep CA/0.28.3 (linux/amd64)
Release Date: 2025-03-18T15:56:22Z
Expected Behavior
Accessing /roots.pem / /intermediates.pem via the HTTP endpoint correctly returns the corresponding certificate.
Actual Behavior
Requesting /roots.pem / /intermediates.pem on the HTTP endpoint returns 404
Additional Context
The intermediate certificates provided by the Step CA Endpoint can be used for the Certificate Authority Information Access (OID 1.3.6.1.5.5.7.1.1) CAIssuer (OID 1.3.6.1.5.5.7.48.2) field, but currently, the root and intermediate certificates are only available on HTTPS endpoints.
This does not quite align with the intended use of CAIssuer (which allows clients to download the correct intermediate certificate even if the server is not properly configured with it), nor does it conform to current industry practices: based on observations, Let's Encrypt / Google / DigiCert all provide intermediate certificates on HTTP endpoints.
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).