How to confirm the appropriate root and intermediate certificates are installed?

My payment provider, Elavon Converge sent out a notice stating that they are transitioning to DigiCert and will take effect in June of 2025. They ask to confirm that the web server has the appropriate root and intermediate certificates based on its environment PEM or DER/CRT, if not then to download and install the DigiCert Global Root G2 & DigiCert Global G2 TLS RSA SHA256 2020 CA1

Now the web server is using Let's Encrypt for the certificate. I see that Let's Encrypt uses R11 and ISRG X11 as the root and intermediate, how do confirm if my server has the necessary root and intermediate DigiCert or equivalent certificates? If I need them, how do I install them along with Let's Encrypt?

I do have root access to the server.

Regarding server and certbot, this is an older server running Ubuntu 16.04 LAMP stack which has Virtualmin 6.17pro /Webmin v1.981 running on it and that is how Let's Encrypt certificates are generated, through its interface.
From what I understand it uses its own built in ACME client. When I run certbot --version or certbot-auto --version I get command not found.

Thanks in advance for help!

While your webserver may have a Let's Encrypt certificate, this doesn't really affect anything regarding your payment provider's notice.

The certificates in this context are used for authentication in TLS. A server presents a certificate to a client to validate the connection's authenticity. Your webserver has a certificate (apparently from Let's Encrypt) to provide its authenticity to clients - the visitors of your website. Your payment provider also has (web-)servers, which also need to prove their authenticity to someone.

Depending on how the payment protocol in question works, it is possible that your server needs to make an outgoing connection to the payment provider. In this case, your webserver becomes a client towards the payment provider. This is probably the scenario your payment provider is talking about. It is the client's task to validate a certificate's authenticity. This requires a set of preinstalled "root" certificates, known and trusted by the client. They're not truly relevant to a server.

The set of root certificates depends on the applications that are involved. In many cases, operating systems have a set of root certificates that are automatically trusted by applications running on the system. For Ubuntu, this is the ca-certificates package. The latest publicly available ca-certificates package for Ubuntu 16.04 is apparently this one: 20210119~16.04.1 : ca-certificates : amd64 : Xenial (16.04) : Ubuntu

I have checked the source code of that package and I can confirm that ca-certificates version 20210119 contains the DigiCert Global Root G2 root certificate. It does not contain the DigiCert Global G2 TLS RSA SHA256 2020 CA1 certificate, but this is expected since it is an intermediate certificate. Intermediates are not commonly pre-installed in trust stores, nor is this neccessary (or even useful) in a properly configured environment. Only the root needs to be trusted by the client.

To sum up: If your server has the ca-certificates package installed in a version >= 20210119, then your OS - and therefore most applications running on it - have the DigiCert Global Root G2 root certificate. This should be enough in most scenarios, but I cannot say that for certain: To be sure, we would need to know how exactly your webserver connects to your payment provider (which protocol: which application handles it, etc.).

6 Likes

I think they're talking about their certificate, not yours.

Check if this command works:

curl -IL https://global-root-g2.chain-demos.digicert.com/

Digicert lists it as an intermediate: DigiCert Root Certificates - Download & Test | DigiCert.com

4 Likes

Yeah I was scrolling too fast and confused the rows for intermediate vs roots. I've restored the original paragraph about this being an intermediate.

3 Likes

First, I must commend you on taking the time to explain this is such detail. I really appreciate that. I realized while reading your response, that is indeed what the payment provider is talking about. My server is making a connection to their server and needs to validate the certificate. Thanks for clarifying that for me. Second, thank you for also looking into what version of the ca-certificates package contains the needed certificate. I see that you listed version 20210119. I checked the server with apt list ca-certificates and got the response back ca-certificates/xenial-updates,xenial-updates,xenial-security,xenial-security,now 20210119~16.04.1 all [installed] . So from what I understand from your response, I should be ok, and should have the root cert from DigiCert. However to be certain, you need more information. So I can tell you that the server runs a PHP web application, and makes a request out to the provider. I think cURL over HTTPS handles the cert handshake. Does that give you enough details to be more certain I should be ok without the intermediate DigiCert Global G2 TLS RSA SHA256 2020 CA1 cert? Thanks again in advance!

2 Likes

curl/PHP should use the certificates from the ca-certificates package, yes. That should be fine.

5 Likes

Thank you for your help!

4 Likes