We are trying not to manage the CA. In my use case, each satellite servers already have the certificate issued by letsencrypt. The central server could just trust the letsencrypt CA, plus checking the CN is from one of our owned DNS domain. Regards, Frank