In RFC 7030 Enrollment Over Secure Transport (EST) https://tools.ietf.org/html/rfc7030, the /cacerts request (Section 4.1 of RFC 7030) is used by the client to request the current CA certificates. The returned certificates are added to the client’s ‘Explicit TA database’ and must be used to authenticate all future exchanges with the EST CA.
The RFC says that client is expected to make this request before performing other operations such as requesting a certificate (Section 2.1). I can understand why this is useful in the case that a client is only initialised with an ‘Implicit TA database’ (e.g., a root certificate belonging to a third party issuing CA) as they can then initialise their ‘Explicit TA database’ with the certificates belonging to the PKI they wish to enrol in (Section 4.1.3.). However I’m not clear on the benefit when the client is initialised with an Implicit TA database such as the issuing CA certificate (and corresponding certificate chain) for the CA they wish to enrol with. Perhaps it has something to do with allowing root key updates using rollover certificates (also discussed in Section 4.1.3.) but not clear on why this could not be handled as part of the /simpleenroll request. Any help clarifying the purpose of the /cacerts request would be much appreciated!