I got a Let’s Encrypt certificate for me (i.e.: my server). Inspecting the certificate I found his certification chain:
- “DST Root CA X3” (Root CA)
- “Let’s Encrypt Authority X3” (CA)
The CA states the CPS as http://cps.root-x1.letsencrypt.org (the Root CA has no such CPS), and that, in turn, states the Root CA is “ISRG Root X1” using 4096 bits. The X3 CA however uses just 2048 bits. My certificate has the CPS http://cps.letsencrypt.org, which redirects to https://letsencrypt.org/documents/isrg-cps-v2.3/ also.
Shouldn’t the CPS describe the certification policy? I’m quite confused.8-(