The Root YR does not have to be in the trust anchor store, because the TLS server supposed to send it (actually a cross-signed version) to the TLS client. Then, this certificate chains up to a trusted root certificate X2, or definitely to X1 as the client searches for a valid trust chain.
bruncsak
6
Related topics
| Topic | Replies | Views | Activity | |
|---|---|---|---|---|
| Today (re)issued Certificates from Issuer YR2 have a Revoked Cert in Chain | 14 | 1045 | June 3, 2026 | |
| Issue - Unable to verify certificate chain - CentOS7 | 34 | 4721 | August 6, 2022 | |
| Should I add both DST Root CA X3 and ISRG Root X1 intermediates? | 23 | 12663 | September 6, 2018 | |
| Certificates requested through acme.sh are not issued as ISRG Root X1 | 15 | 812 | November 11, 2024 | |
| Certbot fullchain missing intermediates | 11 | 283 | June 5, 2026 |