Confused about the different certificate chains in staging

All certs issued by STAGING R3 are issued by STAGING X1. There's a cross-sign for STAGING X1 to STAGING DST X3, which is used by default. ACME clients can be configured to use an alternate chain, but all that really does is leaving out the final cross-sign: You're still getting the same intermediate & leaf.

The staging chain mirrors the current production chain (which is also why there's an expired cross-sign root). The default chain is going to change next year, though your current setup should continue to work.

5 Likes