Quick question.
What would be the best way to test clients against the short chain?
I can see that Chain of Trust - Let's Encrypt has test websites with the valid/expired/revoked certificates.
I am using this openssl command with the old ca.pem against the "valid" website, and it succeeds:
openssl s_client -connect valid-isrgrootx1.letsencrypt.org:443 -servername valid-isrgrootx1.letsencrypt.org -CAfile old.epm | openssl x509 -noout -dates
I am expecting it to fail, but it succeeds. What do I miss?
Is valid-isrgrootx1.letsencrypt.org signed with a long or short chain?
What's the right way to test clients against the short chain?
Thank you!