Hi Team,
Is there an API available to identify when a root certificate is changing? If not, what is the best way to ensure we are notified of a root certificate change.
Thanks!
Grant
As far as I know, no such API exists.
But all API changes are announced here on this forum. I would suggest putting the notification level (the square button with the circle in it, just next to the âNew Topicâ button) of the API Announcements category on âWatchingâ. If a new topic is posted, it should send you an e-mail.
Thanks for the quick response, Osiris. I will definitely start watching the API announcements.
What is your recommendation for staying notified of root certificate changes?
-Grant
The ACME protocol includes a feature where youâre given the intermediate certificate that the CA recommends that you use. If Letâs Encrypt decides that the existing intermediate is no longer the most appropriate one to use, the intermediate certificate served via this mechanism will change and clients should receive the new one automatically.
That could happen, for example, if the recommended root changes.
The recommended or expected root is ordinarily the issuer of the highest-level intermediate certificate that the CA offers you via the ACME protocol. So this information is in a sense already always updated automatically.
But I can imagine an administrator wants to know if and when this happens. Especially, if clients will just auto-renew continuously, as recommended by Letâs Encrypt.
Also, not every situation is a default webserver hosted somewhere for ânormalâ web clients. Perhaps @gdouglas has a very good reason to need to know the exact switch. Perhaps embedded systems or something like that.
1 Like
Good points, @Osiris.
Currently, youâd be able to find out about root changes by watching the output of
openssl x509 -issuer -in /etc/letsencrypt/live/example.com/chain.pem -noout
for some autorenewed cert on your domain of interest (or substituting the equivalent location of the chain cert saved by some other non-Certbot client application).
If it changes, the recommended root has changed. 
1 Like
I have one follow up question. So if watching this output gives us the root of an already provisioned cert, it seems that this would not inform of us of a new Root since it would not be in use by any existing certs.
Are there any other ways of staying notified of a root change?
Thanks!
Grant
As I said, such important things will always be announced on this forum in the said section. I don't think there really is another way. I don't think @lestaff will e-mail an announcement on the known registered e-mail addresses used in the certificate issuing process.
Hi @gdouglas,
Whenever you issue a certificate, including issuing a renewal certificate based on an existing one, Letâs Encrypt uses the ACME protocol to send a recommended chain. Certbot, at least, will save the new chain to disk (youâll find it in the new target of chain.pem). So, a change in the recommended cert will be visible when you perform a renewal.
But only after the root change is already in effect. I think @gdouglas would like to know in advance.
Oh, even in advance of the issuance of individual certificates that are recommended to be chained from that root? In that case thereâs no way to do this notification inside the protocol, so Iâd agree with watching the API Announcements category here on the forum. You could also watch the Letâs Encrypt home page at https://letsencrypt.org/ or Twitter account at https://twitter.com/letsencrypt, since a change like this is also likely to be mentioned there.
The current chain of trust is listed online: https://letsencrypt.org/certificates/
Couldnât that just be periodically checked?
It would be even neater if there were a json representation of the page:
e.g. https://letsencrypt.org/certificates/as.json which lists the certificates and links to them.
it could even have a âlast-updatedâ key.
that would be much better than periodically indexing the page and checking itâs md5 sum, which catches changes to text and templates, and often gives me a false positive (as I totally use this method to detect changes myself 
1 Like
Well, I assume such a desire. @gdouglas hasn't informed us on his motivations, so we can only guess.
The site is updated manually through GitHub updates and could be lacking behind important updates. I would say API announcements are the most timely notifications.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.