We have an embedded system (client) that will communicate with a server using letsencrypt. The client validates the certificate by verifying the certificate chain using the public key of “DST Root CA X3.” This has been tested and works well right now. I have questions however about how to keep this system working in the future:
- My understanding is that DST Root CA X3" will expire Thu 30 Sep 2021 02:01:15. how can I confirm this?
- How many days/weeks/months in advance of this expiration will a replacement for DST Root CA X3 be issued?
- What is the protocol in the extremely unlikely chance that DST Root CA X3 is compromised? Is a new root certificate immediately issued and the compromised certificate immediately revoked? I see this as a potential problem for our system because it will have no way to get the new certificate if the old is no longer working and there is no lead time to make the switch.
- Is there any sort of notification I can sign up for so I can know when I need to update this root certificate and be given the maximum time possible to roll the update to our customers?
My thought is to always store the public keys of 2 root certificates in the embedded system so the system will stay fully functional through any transition from one root certificate to another. The system will always check for new root certificates on boot by communicating with a server via TLS using a letsencrypt certificate. Does this all seem like it would work? I’m rather new to this whole certificate validation thing so any thoughts and advice are welcome…