From 287cf36572e2ce569fdc4849bccb3b3102f6bdf0 Mon Sep 17 00:00:00 2001
From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com>
Date: Mon, 27 Jun 2022 11:00:01 +0000
Subject: [PATCH] post(ecdsa-tor): root CA is missing from PEM bundle

---
 source/_posts/ecdsa-tls-tor-caddy.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/source/_posts/ecdsa-tls-tor-caddy.md b/source/_posts/ecdsa-tls-tor-caddy.md
index 3a06a0a..1447496 100644
--- a/source/_posts/ecdsa-tls-tor-caddy.md
+++ b/source/_posts/ecdsa-tls-tor-caddy.md
@@ -43,12 +43,14 @@ http://xw226dvxac7jzcpsf4xb64r4epr6o5hgn46dxlqk7gnjptakik6xnzqd.onion:8080 {
 
 8. Restart Caddy and check the path has correct response. `curl http://localhost:8080/.well-known/pki-validation/xxx -H "Host: your-onion.onion"
 9. After HARICA verified my onion, I received an email notification that it's ready for purchase and download.
-10. Download the P7B format with the full chain and convert it to PEM:
+10. Download the P7B format with the full chain **PKCS#7 (chain)** and convert it to PEM:
 
 ```
 openssl pkcs7 -inform pem -in myonion.p7b -print_certs -out myonion.pem -outform pem
 ```
 
+_PEM bundle offered by HARICA somehow doesn't include root CA in the cert chain_
+
 11. Upload ".pem" and ".key" to the server. `chown` it to the Caddy system user and `chmod 600`.
 
 12. Install the cert in Caddy. Site address has to be separated to HTTP and HTTPS blocks due to the use of custom port. When custom port is not used, Caddy listens on port 80 and 443 by default.