How to get the following certificates

Hi All,

We use letsencrypt, how to get the following certificates from our domain:

Root CA
CA Class 1
CA Class 2
CA Class 3
CA Class 4

SSL Class 1
SSL Class 2
SSL Class 3
SSL Class 4

Without more context, that doesn’t make sense. Can you provide more information? What software is asking you for that? Does it explain what it means? Can you provide any links?

1 Like

sorry, I don’t understand what you mean?.. what info you want?

our domain is: and we use letsencrypt

What’s a CA Class 1, 2, 3 or 4? What is an SSL Class 1, 2, 3 or 4? What’s the difference between a Root CA and a Root CA SSL? What do you need them for?

I see this link and I want to follow them, again what we have is only letsencrypt SSL certificate… need advice…


I’m still confused by your messages. Can you tell us what you end goal is? If you’re using an ACME client like Certbot get your certificates you don’t need to take any extra steps or manually download any root CA certificates.

What about that page makes you think it's an example you should follow?

A page like that one is mostly beneficial for a certificate authority, not for a regular site that uses the certificate authority’s services.

The approximate equivalent page for Let’s Encrypt is probably

Individual web sites that use Let’s Encrypt services do not have to post this information and gain no benefit from posting it.

1 Like


we are in the progress to launch our digital signature web app, we use Letsencrypt for our domain and we create .pfx based on .pem that generated by Letsencrypt and our app will do digital signing to the uploaded pdf using that .pfx.

The government’s regulation requires us to
inform root CA certificates, chains etc in the website, the link that I gave in my previous message is one of the provider here.

any idea or suggestion?

many thanks in advance

In this case I think what you're looking for is the documentation page that @schoen linked to: Chain of Trust - Let's Encrypt This page has Let's Encrypt's root and intermediate certificates. If these don't meet your requirement I think you'll have to be more specific about the government's regulations and how they are met.

Good luck!

1 Like

Would you be willing to share which country and which regulation that is? I haven't heard of a rule like this anywhere so far, although I know each country's PKI regulations may be different.

1 Like

This does not sound like a feasible application of Let's Encrypt - or I misunderstand your intentions completely.
It seems that you want to enable a person John Doe to electronically sign a file (e.g., a PDF document) using a private key that has been certified by LE. While you technically can use LE to create such a key for, say, for the DNS name john-doe.yourdomain.example, this would mean that the signature is on behalf of the DNS name, not on behalf of the person John Doe (not even on behalf of the owner of a possibly existing mailbox john-doe@yourdomain.example). As such, it would not fulfill the purpose of a signature: That one can verify that the signing person acknowledges authorship of and/or responsibility for the document content (which might be a contract, for example).
Note that it would be very simple for me to counterfeit the process by doing the same and signing a fake document in the name of said John Doe by using a key I can readily acquire for john-doe.mydomain.example.

Thus for signatures in this sense, additional scrutiny is required. In order to be accepted, you have to essentially become a CA of your own (or a suitable subordinate CA) and employ processes that ensure that certificates you issue have the appropriate properties, i.e., are certified not only for a web server and its DNS name, but for a uniquely identifiable natural person (there could be several John Doe's, couldn't there?); that precautions against abuse are made (e.g., that the certificate needs to be stored on a chip card and can only be used with 2FA); and perhaps a lot more - including scrutiny assessments by the government.

To summarize again, this is not what LE is or even can be for - or I totally misunderstood the intentions.

You are absolutely correct that’s what I mean, and yes it is not possible to use LE for this purposes.

Do you have any idea or suggestion to accomplish this?


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.