Cert file incomplete?


#1

I got my beta and made my cert now here’s the problem the chain.pem and the fullchain.pem contain the intermediate, obviously, but somehow the intermediate chains down only to DST Root (aka IdenTrust) so where is the signature by the ISRG Root?


#2

I got mine too.

The root certificate is “DST Root CA X3”, clients know it and trust it. The intermediate is “Let’s Encrypt Authority X1”, which is signed by “DST Root CA X3” (chain.pem file). The certificate (cert.pem) is signed by “Let’s Encrypt Authority X1”.


#3

but it should be cross signed by ISRG and DST which you normally wont see in the browser, probably but you can see the number of certs and I know that there are 2 intermediates because 1 cert cannot have 2 signatures so I’d have to have AT LEAST 3 certs in the fullchain…


#4

So you mean “DST Root CA X3” is not the root certificate and is signed by some root certificate, right? For a moment, I thought the “DST Root CA X3” is the root ca which isn’t signed by someone but simply included/trusted in clients.


#5

DST is a root but the intermediate is cross signed by both the DST and the ISRG look at the certificates site of LE to see the structure, but because the same cert cannot have 2 signatures at the same time you need 2 copies of the intermediate… one signed by DST and another signed by ISRG


#6

I got it now. Thanks for the information.


#7

The intermediate certificates signed by ISRG and ISRG’s root certificate are linked in this blog post: https://letsencrypt.org/2015/06/04/isrg-ca-certs.html

I don’t think that the client downloads those (yet).