mirror of
https://github.com/gogrlx/nats-server.git
synced 2026-04-02 03:38:42 -07:00
971c61692a
Resolves problems of [issue #3773](https://github.com/nats-io/nats-server/issues/3773). With this fix, NATS Server will locally determine it's own certificate's issuer from either the configured server certificate (bundle of leaf cert plus optional intermediate CA certs) or from the configured server CA trust store, as follows: 1. The operator may provide the server's certificate issuer in the second position of the server's certificate configuration (typically `cert_file` but may be `cert_store` on the Windows platform). If a candidate issuer is found here it is PKI validated as the actual issuer of the server's cert else a hard error. 2. If not found in [1], NATS Server will seek to create at least one verified chain with its configured trust store (typically `ca_file` but could by the system trust store if not configured). It will derive the issuer from the first verified chain. If no verified chain can be formed it is a hard error.