From fd44d68df36ad218ff040224afc2408d3b8d6dde Mon Sep 17 00:00:00 2001
From: Arjan H <github@hakwerk.com>
Date: Sun, 7 Sep 2025 16:53:01 +0200
Subject: [PATCH] Allow non-self-signed CA certificate as 'root' (#160, #196)

This allows using a sub-CA of an offline / external root CA to be used
as the root CA in LabCA.
---
 patches/issuance_issuer.patch | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/patches/issuance_issuer.patch b/patches/issuance_issuer.patch
index 099b80b..0d81f08 100644
--- a/patches/issuance_issuer.patch
+++ b/patches/issuance_issuer.patch
@@ -1,7 +1,18 @@
 diff --git a/issuance/issuer.go b/issuance/issuer.go
-index e89143ea0..ec328c9df 100644
+index e89143ea0..f0015706e 100644
 --- a/issuance/issuer.go
 +++ b/issuance/issuer.go
+@@ -128,8 +128,8 @@ func LoadChain(certFiles []string) ([]*Certificate, error) {
+ 	lastCert := certs[len(certs)-1]
+ 	err = lastCert.CheckSignatureFrom(lastCert.Certificate)
+ 	if err != nil {
+-		return nil, fmt.Errorf(
+-			"final cert in chain (%q; %q) must be self-signed (used only for validation): %w",
++		fmt.Printf(
++			"WARNING: final cert in chain (%q; %q) should be self-signed (used only for validation): %w\n",
+ 			lastCert.Subject, certFiles[len(certFiles)-1], err)
+ 	}
+ 
 @@ -149,7 +149,7 @@ type IssuerConfig struct {
  	Active bool