Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: https://communitytablets.cit.coop
My web server is (include version): IIS
The operating system my web server runs on is (include version): WS 2012
We believed we got around the DST Root CA X3 expiry last year using the ISRG Root X1 certificate however we've just been made aware some of the older tablets we have are throwing an untrusted error which I can recreate on a Android 5.1.1 tablet I've got. Reading around I can see there was a cross-signed certificate which I've now installed on our server. That seemed to work for a short while and I was getting excited, however my tablet is now showing the same error again.
Obviously I don't want to bring any sites down so am testing tentatively on our test servers.
This means I now have 3 root certificates on the servers and am after some advice on what course of action to take.
DST Root CA X3 (Issued By: DST Root CA X3) - Exp. 30/09/2021
ISRG Root X1 (Issued By: ISRG Root X1) - Exp. 04/06/2035
ISRG Root X1 (Issued By: DST Root CA X3) - Exp. 30/09/2024
My two intermediates are:
ISRG Root X1 - Exp. 15/09/2025
DST Root CA X3 - Exp. 29/09/2021