The chain is cached/read from the datapool, namespace scep.cache.getca, the key is created by joining servername, scep-alias and issuer-alias with a colon, e.g. 'vpnservice:ca-scep-5:ca-signer-2'.
In case you want a special response, e.g. including extra chain certificates you can set the datapool item manually
If no value is found in the datapool, __build_chain is called to create it and the result is cached using the datapool for seven days.
Return information on the certificates used by the scep server. With default settings, the following certs are returned in order:
Certificates used in both scep and issuer chain are only included once.
The responses are cached using the datapool, you can strip chain/root by config settings, see below, or inject arbitrary chains into the datapool.
response getca: ra: fullchain issuer: fullchain
Options are endentity (cert only), chain (no root) and fullchain (includes root certificate).
The old config option response.getcacert_strip_root is still recognized but deprecated.