I ran the below command; certbot certonly --manual --preferred-chain "ISRG Root X1" -d *.adultdatelink.com
I'm still getting as shown below
How do I generate certificate with ISRG Root X1?
My server is Windows IIS, just installed the latest version of certbot (1.19.0)
Please help to generate the certificate the proper way.
If the ISRG Root X1 chain certificate has to be added while running the certonly command, please give an example considering the ISRG Root X1.cer is stored directly as D:\isrg.cer
What you see isn't always what is there.
Windows will play tricks on you; as can browsers.
So you can't use any Windows tool to verify what is actually being served.
You've already generated a certificate the proper way. It's just that Windows is currently choosing to serve the old chain because it is not expired yet. It should automatically switch to the non-expiring chain as soon as the expiring chain actually expires.
If you'd like to force Windows to serve the newer chain before the old R3 expires, you'll need to explicitly "untrust" that old R3 cert by moving it from the Intermediate Certification Authorities cert store to the Untrusted Certificates trust store and then reboot. You can import this reg file to make it easier.
@rmbolger, Although that would work...
Wouldn't that cause problems if/when that system tries to access other sites that are forcing that now untrusted intermediate?
According to my testing, no. Windows will build an alternate trust chain and just use that one...the same way it does in the other direction when it chooses to build the expiring R3 chain even for servers presenting a new R3 chain.
