Hey folks,
I'm curious if there's a single URL that includes a bundle of current and upcoming intermediate CA certificates that LetsEncrypt issues leaf certificates from. We are hoping to be able to monitor changes to that list programmatically. I looked on https://letsencrypt.org/certificates/, but only found links to individual certificates.
Thanks!
Bill Shupp
I think the general approach that's preferred is that you only really need to monitor changes to the roots, since if anybody presents you with an unfamiliar intermediate, you can pretty easily tell if it was actually signed by a root. That's why every web server is (or at least should be) configured to serve both the domain leaf certificate as well as whatever intermediate issued it, since browsers then don't need to worry about the intermediates directly.
That said, you might be able to get what you're looking for by monitoring Certificate Transparency logs. For instance, the log aggregator at crt.sh lists all the intermediates issued by ISRG Root X1 and ISRG Root X2. While I don't think you should be scraping crt.sh directly (though maybe they have an API?), you may be able to monitor the underlying Certificate Transparency logs directly? That's just my first thought. It's probably easier to just have your system not depend directly on the intermediates, though. 
If you subscribe to the API Announcements Forum, you should get an email when things like that change (it's used as a listserve).
Short of using a page monitoring tool to alert you when the /certificates page changes, sadly there is no option.
I actually opened a ticket for this last week (https://github.com/letsencrypt/website/issues/1162), and may generate a PR against it. My need is that I wrote a client, and it can "sync" against the official LetsEncrypt info to better document the certificate chains.
So the standard intermediate just changed from X3 to R3 a few days ago, and the newer root chain (ISRG Root X1) is scheduled for January 11th.
It would be cool if ACME included an endpoint to fetch Root certs used in issuance as this would allow for at least being able to automatically determine if a CAs cert isn't present in the current environment root store.
Note also you can use the 'preferred chain' option of most acme clients to try out the ISRG Root X1 Chain now.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
Check your suggestion again on GitHub.