Continuing the discussion from Which browsers and operating systems support Let's Encrypt:
In https://github.com/letsencrypt/letsencrypt/issues/1660 there is some information suggesting that the Name Constraints on our cross-signed certificate from IdenTrust are the reason IE and Chrome on Windows XP don’t support Let’s Encrypt certificates. I’d like to enlist some help from the community in testing that hypothesis. If you’re interested in volunteering, please try this:
- Create a CA cert and intermediate with the same fields as our intermediate. There are some scripts that should get you a good start here: https://github.com/jsha/sign-test.
- Add that CA cert to the trust store on a Windows XP box. I’m not sure how to do this, you’d need to look up documentation.
- Issue an end-entity cert from the intermediate you generated, and provision it on a web site.
- Visit that web site in IE and Chrome on the XP box. Verify the site is not trusted, and that the error messages matches the message in #1660
- Repeat steps 1-4, but without the NameConstraints fields in the intermediate. Is the certificate trusted?
- If the certificate is trusted in #5, try adding back the NameConstraints, plus an explicit Permitted field as suggested by intgr here. Is the certificate trusted?
If #6 is true, we may be able to make things work on XP. Please save the certificates from each step so others can check them too.
Thanks very much for your help, if you are able to give it!