Do you have any API to get the latest intermediate (R3) certificates?
I need to send the latest intermediate (R3) certificates to my devices upon renewal of the intermediate (R3) certificates.
1 Like
Welcome to the Let's Encrypt Community 
The latest RSA intermediate certificate (e.g. R3) is always returned with your leaf certificate by the ACME API when your submitted certificate signing request (CSR) is signed by an RSA private key. In short, every time you renew your Let's Encrypt certificate, the Let's Encrypt CA server always provides the latest intermediate certificate(s) with your leaf certificate.
3 Likes
Can I just download the latest RSA intermediate certificate (e.g. R3) using postman?
As we download the file from the server using postman or any other REST API client application.
Please take a look into this comment.
My case is similar to this. When old R3 expired, then we updated the new R3 certificates into our device manually. That's why we want to automate the process. So, every time RSA intermediate certificate (e.g. R3) expire, then our system will get latest RSA intermediate certificate (e.g. R3) and send new certificates to all devices.
@tish.lockard I face the same problem as you share in Let's Encrypt R3 root cert expiration - how to fix on Ubuntu with certbot? post.
I want to automate this process. Did you automate the get latest R3 certificates process?
At the renewal of the leaf certificate, update the intermediate signing certificate chain together. Whatever ACME client you are using, they provide the chain.
3 Likes
If you need a way to get the latest intermediate via an API I'd suggest you build your own API and populate it with one or more intermediates, alternatively supply the fullchain.pem to the device when you provide the certificate.
4 Likes
Incidentally, your leaf certificate does include an Authority Info Access field which you could query to downloading the issuing intermediate (recursively until you get to a root you recognize). e.g. your current certificate will have a link to http://r3.i.lencr.org/
3 Likes
Actually, I want to get the latest RSA intermediate certificate (e.g. R3) and store them into my own application API server. When RSA intermediate certificate (e.g. R3) expired then our devices will get new one from my own application API server.
To more directly answer your question: (IIRC) There is no such link to anything like "LetsEncrypt.org/certs/current/intermediate/active".
The best that can be found (outside of the actual ACME client protocol process) was already mentioned:
Understand that LE has multiple intermediates (and can switch between then at any time).
So there is no guarantee for it to remain the same tomorrow as it was seen yesterday.
Furthermore, LE can authorize a brand new one tomorrow and use that (now unknown) going forward.
OR even spread the load across multiple intermediates.
So I'm not so sure you can "automate your plan" (from what I understand of it).
3 Likes
That's because the intermediate is directly related to the end leaf certificate. E.g., an ECDSA cert signed with E1 wouldn't use the R3 intermediate obviously.
@alihassan Please use the ACME protocol as it's meant to be: use the intermediate send together with your end leaf certificate upon issuance. Don't hardcode an intermediate certificate in any other way.
9 Likes
I understand your point. But I need to find out the easy way to update the intermediate certificates in all relevant devices. Is that possible to download the new RSA intermediate certificate (e.g. R3) before expiring the current RSA intermediate certificate (e.g. R3)?
After expiring the RSA intermediate certificate (e.g. R3) my devices would not communicate with my server (API). So, that's why I need to send them the new RSA intermediate certificate (e.g. R3) before expiring the current one.
The current R3 expires in 2025:
The previous R3 already expired:
So I don't understand your request.
Furthermore, one should NOT be trusting intermediate certs.
Trust is for ROOT certs.
2 Likes
Current R3 will be expired on 9/15/2025.
Is that possible to get the new R3 before expiring the current R3 (which will be expired on 9/15/2025)?
No, the "replacement" for that one will NOT likely even have that same name.
And won't be created until about a year before that one expires.
3 Likes
Will new RSA intermediate certificate (R3) be generated before one year expiring the current one?
I don't know when it will be created exactly.
My guess is about one year before R3 expires.
But you should not be using intermediates explicitly in trust.
4 Likes
On the TLS clients' trust store put only the root certificate, not any intermediate signing certificate. In addition too, configure your API server to send the intermediate signing certificate, if it is not yet done. When the leaf certificate got renewed, the current intermediate signing certificate is updated on the API server as well.
4 Likes