How to cross-sign with let's encript intermediate authorities with other authorities

I have my own private certificate authority designed with openssl that issues self-signed certificates that are recognized internally only. I want to ensure public recognition with other browsers. And to do that I need to create a trusted path from my leaf certificate to the ISRG Root X1. I've done some research on how to do this and I've discovered that to solve this problem I need to create a chain of trust by establishing a cross sign between the certificates issued by Let's Encrypt and those of my organization (Intermediate Certification Authority).(Cross-Signing and Alternate Trust Paths; How They Work) here's the article I found on this subject but it didn't allow me to perform the cross sign. I need an answer.

Yeah, no, that's not going to happen.

Strictly speaking, Let's Encrypt could cross-sign a third party intermediate, but as a public CA, that third party would need to be audited to almost or even to the same scrutiny as any other public CA. And that costs a LOT of money.

But even if you'd go that path, Let's Encrypt staff members have already said on multiple times that Let's Encrypt does not cross-sign intermediates of other parties.


If this ever happens, let me know.
I'd like to be my own CA as well :wink:


This means becoming a public Certificate Authority, with all the legal stuff that comes with it. All major browsers require their CAs to adhere to the Baseline Requirements, which imposes a lot of requirements on you (lawyers, audits, security devices, validation and much more), so you need a lot of money and a willing CA to go down that road. And as already stated, Let's Encrypt will in general not do this, even if you had the infrastructure and money. Other CAs might do this though, after all this is how Let's Encrypt started.

What you want to do instead is to install your own (private) root certificate into your machine's browsers and/or operating systems manually. This is common in corporate networks. Most operating systems and/or browsers allow you to install your own "enterprise" roots to enable this. You can then sign your certificates using that root certificate and do whatever you want.


Besides, if they have public names, it's probably a lot easier for most scenarios to just get a "real" cert from Let's Encrypt and just use that everywhere, rather than worrying about having a private CA at all.


Okay, thank you all for your answers. Thank you very much, I really understand why there's no documentation on the subject.


I was understanding the question the other way around; he could cross-sign ISRG Root X1 with his own internal CA, to construct a chain compatible with both his private PKI and the public PKI.


What's the practical use of that? I assume every host on the private network already trusts the Let's Encrypt chain. What's the added benefit of building a chain from LE to your own private PKI?

Also, the part "I want to ensure public recognition with other browsers. And to do that I need to create a trusted path from my leaf certificate to the ISRG Root X1." from OP really does not suggest what you're suggesting, sorry.


well if we did that with Doctored Durian we'd have know better about DST root expire before it happend


I'm not saying it would be a good idea, it's just how I understood the question when I first read it.
Also because the other way around — his private CA being cross-signed by Let's Encrypt — is completely unthinkable, as argued above.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.