Get ISRG Root X2

i want to try use ISRG Root X2 for EC cert. how i do it? i had using Certify The Web tool setup it, but it can't get ISRG Root X2 cert.

Read here:

and be prepared to wait.


i can't find my account id, my using tools has no any logs about it.

That would have to be something you'll have to sort out with the support of the ACME client you're using. Or provide more info about your ACME client, perhaps anyone here knows something about it.


You should direct this question to but you will find your account id as part of the managed certificate log file [which you can find on the status tab of any managed certificate you have already set up].


The Certify has no any about account id information.

i using pfsense 2.6 and

mybe i find account such as:

id number has changed by me.

Yes, if you check the log and look at an order URL the account id is the first number:**<account id>**/<order id>

So then your full account id url is<account id>


I have submitted my application, how long will this take?

1 Like

Some weeks. 2-6 if I had to guess.

1 Like

too long waiting... :melting_face:

If you want it, ask and forget about it. One day, you'll get an email.

1 Like

Sounds like winning the lottery.... :flushed:

It will happen. You just don't know when. :smiley:

1 Like

Maybe I should go burn incense and pray... :face_in_clouds:

i get x2 cert now. but test site show "This server's certificate chain is incomplete. Grade capped to B."

How i fix it?

This is because the X2 (ECDSA) root isn't in the version of the trust stores that SSL Labs has.
There is a cross-sign from the X1 root to the X2 root, which is what SSL Labs is calling an "extra download".

You have two options:

  1. Wait for software to update to include the x2 root and this issue will eventually go away. This is the reason the X2 root is still behind an allow-list, as there may be compatibility issues still.

  2. Include the X2 cross-sign in the chain served by your TLS server. You can get a copy of it here: -- I'm not sure offhand if the ACME API includes it.


It does. It's not only the default, it's the only proposed chain.

i have installed isrg-root-x2-cross-signed.der in windows 2022 IIS. but it still not fix it...