Add root certificate while generating certificate files

When calling certificateChain.Cert.toPem() or certificateChain.Cert.toPfx() (ie the extension methods from CertificateChainExtensions) an AcmeException with message Can not find issuer ... is thrown, when the trust-anchor for this certificate is not embedded in the library. It works for LE production and staging, because these root certificates are contained in the library, but fails for instance when testing against a local pebble instance.

I agree with @webprofusion-chrisc that embedding all possible root certificates into the library is not the best way to go (like mentioned here ). So I think, there should be another possibility to (reasonable) easily provide the root certificate.

I’m not too familiar with the ACME RFC, but scanning through I couldn’t find a specification on how to obtain the root certificate automatically

• It is not contained in the certificate chain which is downloaded from the ACME provider. (Only the cert and intermediates are)
• The up link SHOULD be present when requesting a certificate in DER format, but support for the DER format itself is optional.
• It might be possible to extract it from the system’s certificate store (like registry in windows, keychain in MacOS …) but that
  • may not be possible on all platforms,
  • requires platform specific code and
  • does not solve the problem, that the root certificate may not even be known to the system

As possible workaround I could provide a PR which allows to provide the root certificate to CertificateChainExtensions.ToPfx() and CertificateChainExtensions.ToPem() (similar to what’s done in the Certes.CLI with the --issuer option already). So anyone using this library with a CA other than LetsEncrypt can at least pre-download the root certificate and include it in the workflow.