Indeed. The whole point of X.509 certificates is that they're public. You don't have to ask the CA for a copy. You receive entity certificates, and if the server is properly configured intermediate certificates, just by connecting to it and sending a ClientHello; and you either already ...