How to request IdenTrust intermediate CA


#1

I’ve just read the announce:
https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html
i quote:

Subscribers who need to support very old TLS/SSL clients may wish to manually configure their servers to continue using the cross-signature from IdenTrust

How can i do this? how can i make my renew after Jul 8 2019 to continue to be issued by the IdenTrust intermediate CA?
I’ve checked the certbot documentation but i can’t find any specific parameter.
I must support some legacy clients, that’s why i need to do this.

thank you,
regards


#2

Hi @davideg,

You can find the Identrust cross-signed intermediate certificate on our certificate chain page. Here’s a direct link: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

I have to defer to someone on the Certbot side of things to advise you on how to change your usage to prefer the cross-signed intermediate and not the chain returned from the ACME server.


#3

I don’t believe that we currently have a feature to automate this task, so I’ll create an issue in our issue tracker to propose it. I assume it will become much more relevant to our users after July!


#4

I created https://github.com/certbot/certbot/issues/6971 to track this issue for Certbot (without proposing a particular solution yet).