Unnecessary root anchor in presented chain
Many servers should not send the self-signed root certificate. Clients are expected to already trust their local root store. Including the root usually adds noise and can confuse chain hygiene checks.
What to change
- Bundle contentRemove the self-signed root and keep the leaf plus required intermediates only.
- Deployment reviewConfirm your automation is not concatenating a CA root into the served bundle.
Verify after change
- Re-run chain inspectionThe last presented certificate should no longer be the self-signed root.