Adding ISRG Root X1 certificate to client


#1

I am having problems connecting to https://miktex.org (this is not my domain) i get NET::ERR_CERT_AUTHORITY_INVALID error in chrome.

I have been told that I need to add the ISRG Root X1 certificate to use this web site securely. Is this the correct advice? See:https://github.com/MiKTeX/miktex/issues/118

I have the DST Root CA X3 certificate, so from my basic understanding that should enable a letsencript certificate to work?

If I do add the ISRG Root X1 certificate how do I verify its thumbprint?
And isn’t adding a root certificates myself from the internet a bad idea?

Sorry if this is posted in the wrong section, there does not seem to be a configuring clients forum or documentation section, which further adds to my assumption that this is the wrong thing to do.


#2

So, the site owner is sending the ISRG signed intermediate instead of the one signed by DST Root X3. Ideally they should send the cross-signed intermediate.

In the case that the site owner doesn’t change the intermediate they send, you would need to trust the ISRG root manually.

When you download the certificate from https://letsencrypt.org/certificates/, you could verify it by comparing what you downloaded with public records:

and compare the public key modulus

openssl x509 -in isrgrootx1.pem.txt -noout -modulus
Modulus=ADE82473F41437F39B9E2B57281C87BEDCB7DF38908C6E3CE657A078F775C2A2FEF56A6EF6004F28DBDE68866C4493B6B163FD14126BBF1FD2EA319B217ED1333CBA48F5DD79DFB3B8FF12F1219A4BC18A8671694A66666C8F7E3C70BFAD292206F3E4C0E680AEE24B8FB7997E94039FD347977C99482353E838AE4F0A6F832ED149578C8074B6DA2FD0388D7B0370211B75F2303CFA8FAEDDDA63ABEB164FC28E114B7ECF0BE8FFB5772EF4B27B4AE04C12250C708D0329A0E15324EC13D9EE19BF10B34A8C3F89A36151DEAC870794F46371EC2EE26F5B9881E1895C34796C76EF3B906279E6DBA49A2F26C5D010E10EDED9108E16FBB7F7A8F7C7E50207988F360895E7E237960D36759EFB0E72B11D9BBC03F94905D881DD05B42AD641E9AC0176950A0FD8DFD5BD121F352F28176CD298C1A80964776E4737BACEAC595E689D7F72D689C50641293E593EDD26F524C911A75AA34C401F46A199B5A73A516E863B9E7D72A712057859ED3E5178150B038F8DD02F05B23E7B4A1C4B730512FCC6EAE050137C439374B3CA74E78E1F0108D030D45B7136B407BAC130305C48B7823B98A67D608AA2A32982CCBABD83041BA2830341A1D605F11BC2B6F0A87C863B46A8482A88DC769A76BF1F6AA53D198FEB38F364DEC82B0D0A28FFF7DBE21542D422D0275DE179FE18E77088AD4EE6D98B3AC6DD27516EFFBC64F533434F

#3

Hi @joe425

interesting: This is the first domain my chrome shows the ISRG Root:

org

But: I didn’t updated my certificate store manual (Windows 10), current crome version.

Other Letsencrypt-domains - DST Root is shown.


#5

Thanks, that all makes sense, will pass it on to the sites owner.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.