Cross-signing with CAcert


I see that LE has their intermediate cert cross-signed with IdenTrust so the major browsers will trust it. Would it be possible for LE to cross-sign’s intermediate so it would be trusted as well? In other words, one non-profit organization helping another non-profit organization.



I don’t think that is plausible, because CACert allows wildcard certificates, while LE has said that they possibly won’t allow it for now. Also, CACert doesn’t have enough random bytes at the SerialNumber of the certificate. @jsha What’s your opinion on this?


I think they should first resign their root if not done already. last time I read they had to move the event.

okay forget this seemingly they have resigned by now.


Hi @alspaughb, Let’s Encrypt is not able to do this; our intermediate certificate issued by IdenTrust does not allow us to issue further downstream intermediate certificates. If you look at our intermediate cert, it contains

        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0

That means we are only allowed to issue end-entity certs, not CA certs:

This reflects the nature of the authority that IdenTrust has given us.


If CAcert would like IdenTrust to sign their intermediate the same way they signed LE’s, who at IdenTrust would they contact?


good question. also I think IdenTrust wouldnt have liked it if LE just corss-signed CACert.
but LE could use its own root to cross sign CACert even thought it has yet no efect on browser trust.


Hmmm, I’m not sure — I wasn’t involved in that process.