Certificate difference

Because the Microsoft website describes here to download the certificate.


Internet Security Research Group ISRG Root X2 BDB1B93CD5978D45C6261455F8DB95C75AD153AF

But the certificate downloaded by the website is different from the certificate provided by this website, is there any difference? Why would it be different?

Which "certificate provided by this website" are you referring to, exactly?



The two files are in different file formats: The isrg-root-x2.der is a "raw" DER file. The downloaded file from crt.sh is a PEM file, which is a format that is "text" friendly and is basically a base64 encoded version with a header and footer.

I downloaded both of these files:


Then I ran this command:
openssl x509 -inform PEM -outform DER -in 69729B8E15A86EFC177A57AFB7171DFC64ADD28C2FCA8CF1507E34453CCB1470.crt -out converted.der

converted.der is byte-for-byte identical to the isrg-root-x2.der from the Let's Encrypt website.


Strange. After downloading on windows 2022, it shows that this certificate is not installed.
ok. Just as long as you're sure.

"ISRG Root X2" might be uncommon. The main certificate you need right now is "ISRG Root X1"


Also, Windows will do "lazy loading" of root certificates. So even if you don't see ISRG Root X2 in your system's root store, if you visit https://valid-isrgrootx2.letsencrypt.org/ (or any other site using ISRG Root X2 as its root) using Edge (or some other system that uses Windows's built in certificate functionality), you might find that it has suddenly magically appeared in your root store.


If you want to install ISRG Root X2 (most people currently don't have a use for it) then you would install it to Local Computer Certificates > Trusted Root Certification Authorities). You don't just download it.

Note also that root certificates do not reliably update automatically on Windows, they are supposed to but there are other factors such as whether you have firewalls or group policy blocking either windows updates or CA root updates (many organizations have group policy blocking CA root updates due to a bug years ago which required this feature to be disabled, which they have never enabled again).


I have downloaded and installed this isrg-root-x2.der certificate into the system a few months ago. Yesterday, I downloaded the certificate from the force.com website and opened it, and it showed that it was not installed.
So I feel suspicious.

How did it show this? The windows certificate UI does not identify if a certificate is installed or not just by opening the file (left image is the file from force.com, right image is the installed cert from LE):

Ultimately if the Thumbprint value shown on the details tab are the same then it's the same certificate. There may be a way to have 2 certificates with the same thumbprint, but I believe the chances of a duplicate are approx. 1 in 9 trillion.


At that time, it showed that the certificate could not be verified. But there is already a root certificate in the system. So I am not sure about the authenticity of that website. I did not take a screenshot at that time. As long as you confirm that there is no problem.

No one (other than you) can confirm that you didn't have a problem.
If there was a MITM and they presented you with a fake cert, only you would have seen that cert.


I feel that there is a virus in my system, and the memory is constantly running out, but I can't find out what programs are consuming memory. Maybe it's related to this. Antivirus software can't find it.

If you think your system is compromised I'd advise backing up your data and configuration and reinstalling your operating system (reset with full wipe). There's usually no good reason to try to "remove" a virus as the machine will already be in an untrustworthy state.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.