@nyet
OK, what are you looking to do?
1 Like
@birdenbire much of Let's Encrypt DST Root CA X3 expiry Sept 30th 2021 | Certify The Web Docs is relevant to win-acme as well, but the main thing is to ensure you have ISRG Root X1 (Self signed) installed in your Trusted Root Certification Authorities store. You can usually achieve this by browsing to https://valid-isrgrootx1.letsencrypt.org/ or by installing the root manually.
You can only get rid of magically populated certs by moving (dragging) them into Untrusted, otherwise the OS will repopulate, however you don't need to do that for DST Root CA X3, you can ignore it unless you have something specific in mind.
Compatibility varies by client for the long chain too. Either you have the short chain and break 5-year-old phones, or the long chain and break OpenSSL 1.0.2 and some other clients.