CA Certificate does not match http://cps.root-x1.letsencrypt.org (https://letsencrypt.org/documents/isrg-cps-v2.3/)

I got a Let’s Encrypt certificate for me (i.e.: my server). Inspecting the certificate I found his certification chain:

  • “DST Root CA X3” (Root CA)
  • “Let’s Encrypt Authority X3” (CA)
  • some_really_ugly_name

The CA states the CPS as http://cps.root-x1.letsencrypt.org (the Root CA has no such CPS), and that, in turn, states the Root CA is “ISRG Root X1” using 4096 bits. The X3 CA however uses just 2048 bits. My certificate has the CPS http://cps.letsencrypt.org, which redirects to https://letsencrypt.org/documents/isrg-cps-v2.3/ also.

Shouldn’t the CPS describe the certification policy? I’m quite confused.8-(

ISRG CA root Private Keys are RSA keys at least 4096 bits in length.

This quote is true because DST Root CA X3 is not an ISRG root, it's operated by IdenTrust.

Check "Cross-Signing" on Chain of Trust - Let's Encrypt to see how it all comes together.

Not sure about the CPS not describing the cross-signing setup.

1 Like

CPS stands for “Certification Practices Statement.” There’s also a document called the CP, or “Certificate Policy.” I know, it’s very confusing. :slight_smile:

Can I ask, what is the problem you are trying to solve? Is there a regulatory compliance issue that requires you to document key strength for your entire certification chain?

Curiosity: I found out that the Root CA has no CPS at all, and the intermediate CA has a conflicting CPS (that seems to belong to a different CA, actually).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.