I have a server that has a public and private key pair that are known by my own self hosted CA.
A client wants to send the server some sensitive data. When the client receives the server’s public key, to initiate a tls connection, the client obviously has to contact my CA to verify the server is not an imposter.
The client has to also make sure my CA is not an imposter. Is the only option for facilitating this is to obtain a non self signed, legitimate certificate from another CA, embedded into the software tools the client is already using to communicate all this? Or a second option, send the client our CA certificate before hand, like in an email to use in all future communications with our CA? How is this normally handled in software exposing public APIs over secure connections and who want to manage their own PKI?