DST Root CA X3 certificate


We have ISRG Root X1 certificate is installed on our exchange 2016 servers. But DST Root CA X3 certificate was not removed. recently, our users started to get the certificate prompt from DST Root CA X3 certificate as below

How can I get rid of this? Is it safe to remove the certificate from exchange servers?
How can i remove this from all user machines?

that's not DST X3, but old leaf certificate from 2019 signed by Let's Encrypt X3 (yes, there is name collision there)


it is showing as DST X3

because you are posting old leaf certificate before LE moved to where own root certificate, so it chains to DST


you forgot to apply renewed certificate like forever, showing this old one

but, you should be using this certificate, which web server serves.


As @orangepizza is saying, your service in the first screenshot is using an old certificate from 2019, so renewing the certificate and updating the service certificate bindings would solve that. Your certificate should be updating every few months and you should be using an ACME client to automate that, not a manual process.

The Windows certificate viewer shows the best chain path windows was able to build, it's not necessarily your actual chain being served by your TLS enabled services depending on what they are. Windows clients will also build their own best trusted path when they recognize the intermediate your certificate is signed by, other clients and operating systems vary and some do rely more on your served chain.

I'd also suggest renewing your certificate now so that it's no longer chained via R3 (which it will be in reality, windows is showing you the chain it built, not the actual chain) and is instead chained to the newer R10 or R11 intermediates, this is because it's not worth solving an R3 chain problem now and your next renewal will use the newer intermediates.

If the problem persists in some way after renewing the certificate check what you have under Certificates - Local Computer > Untrusted Certificates > Certificates, it's possible something you need has been manually disallowed and it's preventing the chain path being built. ISRG Root X1 "issued by ISRG Root 1" (not the one issued by DST Root CA X3) must be present under Trusted Root Certification Authorities.

You should also ensure that Windows Updates are current (not blocked) and that the machine can make outgoing http and https requests in order to fetch CA root list updates and dynamically update known intermediates (which is something windows does). You should also check that CA root updates have not been disabled by policy, that was a common workaround for a bug about a decade ago that seems to have stuck around in some places: How to enable the "automatic root certificates update" on Windows Server 2016 - Microsoft Q&A

Your final chain for an RSA certificate should look like Leaf > R10 or R11 > ISRG Root X1, anything else is probably wrong (or perhaps cached by the OS UI). You should ideally verify what you expect to see on a test server first.


from my opessl s_client it looks like they solved it, just not bothered to reply back: we may see OP again in July if it's manual but I don't think it'd be


Thank you very much for the details