Certificate chain

Hi, I am pretty new to SSL generation. Thanks for all your help.

I received below certificate chain as a result of new order. When I tried to build that, it gives an error of missing "DST Root CA X3". However, when I add this "DST Root CA X3" as an issuer, the SSL certificate generated is not valid. "DST Root CA X3" is expired.

What should I do?

-------- certificate chain received ----------------
SubjectDN: "CN=xyz.uuiq.com"
IssuerDN: "C=US,O=Let's Encrypt,CN=R3"

SubjectDN: "C=US,O=Let's Encrypt,CN=R3"
IssuerDN: "C=US,O=Internet Security Research Group,CN=ISRG Root X1"

SubjectDN: "C=US,O=Internet Security Research Group,CN=ISRG Root X1"
IssuerDN: "O=Digital Signature Trust Co.,CN=DST Root CA X3"

1 Like

That depends on if you need to provide service to any older Android devices.
If not, then you can remove the 3rd cert; as the "ISRG Root X1" should already be in newer systems' trusted root stores.
If you do need to service older Android devices, then you first need to understand how that is now being done:

  • Since those older devices don't have "ISRG Root X1" in their trusted root stores, there exists a cross-signed cert for it issued by "DST Root CA X3". But that cert recently expired. Which was known and it is expected that the older devices won't be checking root cert expiry, so this "trick" should work to serve them.

But you mention

Again, this is expected.
If you don't need the longer chain, then don't use it.
If you need the longer chain for some clients but also can't use it for others, then there is no simple solution for you from LE. And you may have to use a cert from another trust chain - i.e. another (free) CA.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.