Command to generate ISRG Root X1 certificate

I ran the below command;
certbot certonly --manual --preferred-chain "ISRG Root X1" -d *

I'm still getting as shown below

How do I generate certificate with ISRG Root X1?

My server is Windows IIS, just installed the latest version of certbot (1.19.0)

Please help to generate the certificate the proper way.

If the ISRG Root X1 chain certificate has to be added while running the certonly command, please give an example considering the ISRG Root X1.cer is stored directly as D:\isrg.cer

The above link shows that, this will work.


Also when I visited the page, the certificate there is set to expire soon.

What you see isn't always what is there.
Windows will play tricks on you; as can browsers.
So you can't use any Windows tool to verify what is actually being served.

1 Like

You've already generated a certificate the proper way. It's just that Windows is currently choosing to serve the old chain because it is not expired yet. It should automatically switch to the non-expiring chain as soon as the expiring chain actually expires.

If you'd like to force Windows to serve the newer chain before the old R3 expires, you'll need to explicitly "untrust" that old R3 cert by moving it from the Intermediate Certification Authorities cert store to the Untrusted Certificates trust store and then reboot. You can import this reg file to make it easier.

Untrust-DST-R3.txt (10.4 KB)

Just rename it to .reg and double click.


@rmbolger, Although that would work...
Wouldn't that cause problems if/when that system tries to access other sites that are forcing that now untrusted intermediate?

According to my testing, no. Windows will build an alternate trust chain and just use that one...the same way it does in the other direction when it chooses to build the expiring R3 chain even for servers presenting a new R3 chain.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.