Hi @alspaughb, Let’s Encrypt is not able to do this; our intermediate certificate issued by IdenTrust does not allow us to issue further downstream intermediate certificates. If you look at our intermediate cert, it contains
X509v3 Basic Constraints: critical
That means we are only allowed to issue end-entity certs, not CA certs:
This reflects the nature of the authority that IdenTrust has given us.