I have the certificate CN = ISRG Root X1 stored and active in the Trusted Root Certificates of my Windows 10 computer, do i need this certificate on my computer to browse the web?

I am just wondering if i need this certificate on my computer for regular browsing of the web? Is there any way to tell when this certificate was installed/downloaded or otherwise appeared on my machine? Is there some way to tell how or what made it onto my machine? Like possibly some website i visited, is there any possible way to tell why or how (method) it made it onto my machine and the date?

Trusted Root Certificates
CN = ISRG Root X1
Valid From: ‎Thursday, ‎June ‎4, ‎2015 3:04:38 AM
Valid To: Monday, ‎June ‎4, ‎2035 3:04:38 AM
Public Key Parameters: 05 00 (IX509PublicKey Interface)
Subject Key Identifier: 79b459e67bb6e5e40173800888c81a58f6e99b6e
Serial Number: 008210cfb0d240e3594463e0bb63828b00
Client, Server
Key usage: Certificate Signing, Off-line CRL Signing, CRL Signing (06)

My domain is: none

I ran this command:

It produced this output:

My web server is (include version): none

The operating system my web server runs on is (include version): Windows 10, no web server

My hosting provider, if applicable, is: none

I can login to a root shell on my machine (yes or no, or I don't know): ?

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): not attempted

1 Like

I don't fully understand your question. Why do you doubt the root certificates of your Windows?

1 Like

First, i am having issues with my computer and unauthorized access. I do have reason to believe this unauthorized access is stemming from (at least in part) from certain certificates on my machine. Researching this particular certificate, it appears i would have no need for it since i do not use Let's Encrypt certificates for any website i own/operate.
For a basic example: Key usage: Certificate Signing, Off-line CRL Signing, CRL Signing (06) - i literally have no need for such key usage on my machine.
Furthermore, i also have issues with my own online accounts such as maintaining control of them. For another example, let me use the example of let's say i post a question on a Microsoft forum. I literally lose access to the website, my account, my post, etc... almost immediately after posting.

1 Like

Hi @SarahBucklew and welcome to the LE community forum :slight_smile:

In short: YES.

If you expect to browse to any of the 200M+ websites that use LE certs, you should have their root cert in your trust store.
As for when, that would be very hard to tell (exactly).
As for how, it should have been updated via a regular Windows Update.

Your "argument" would also hold true for all the other trusted root certs.
Why not delete them all?

3 Likes

You probably surf to more sites than just your own?

That's because it's a root certificate which delegates its function to intermediate certificates. So a root certificate should have "Cert signing" key usage, otherwise it couldn't sign the intermediate certificate.

I'm no expert, but I do know one thing: if a system is compromised, don't bother finding and fixing that one single thing of malware you can find. You should assume the entire system is compromised no matter how good your search is and how many malware you find. The only option, IMO, to a compromised system is to start from scratch.

3 Likes

Okay, that answers my question. I must have this certificate installed to view the websites with Let's Encrypt certificates. I did not gather that from the questions on the forum.

3 Likes

That is the (one of the) function of root certificates in a root certificate store. You wouldn't find that answer here on this Community, because it's not something that has been asked before :stuck_out_tongue: Of course nobody is an expert, I understand that, but the purpose of root certificates is fairly common knowledge for people operating with TLS certificates (the main visitor of this Community). When you're not operating with TLS certificates, I can understand the knowledge about the purpose of root certificates isn't known :slight_smile:

3 Likes

No, of course you would. I have literally tried that so many times, in so many ways, and the issues are being remotely deployed to my computer no matter what i try. I have literally tried everything from an OS/machine perspective. I am trying to get to the bottom of the certificates on my computer. You know, trying to learn something i know nothing about, so it may reveal some hidden truth.
Lastly, i know one of my (for lack of better term) "hackers" is one of the founding members of Let's Encrypt. So i thought it was worth a shot to learn something i did not know about this particular certificate, since i have literally never noticed this particular certificate before.
Can i ask one more question of you, since you appear to be helping me? If i have an expired certificate in my Trusted Root Certificates, can it still be used for the usage selected?

2 Likes

As far as I know, only Android ignores the "notAfter" date set in a root certificate. Other OS such as Windows should respect the expiry date, which would invalidate the root certificate for usage.

3 Likes

The appearance of a cert (even expired ones) in the trusted root store can in NO way create a compromise of that system.

There is something else at play - certs don't create compromise.

4 Likes

Thank you!

3 Likes

I'd suggest that your machine has a key logger installed and it's forwarding your login credentials to an attacker. You should switch to a new machine and format the old one because if you don't know how it got infected then you can't trust that machine at all. You should use 2 factor authentication where you can (e.g. where you get an SMS or use the Authenticator app on your phone to confirm a code), and you shouldn't re-use passwords between different accounts (store unique passwords in LastPass or similar).

4 Likes

I would normally agree with you. However, i have went out and bought several new Windows machines and it is the same issue... The deployment of the same hack which literally takes over my computer. It has something to do with Windows. Even further than that, it has something to do with Microsoft. It overrides everything i know to be true about computers. It overrides the original operating system and makes my Windows machine a client computer. So, i thought it would be a good idea to look into the certificates, which is why i am here.
I do thank you for your response though! I have my computer(s) at a state i can control at this point, but it is usually only temporary. Thank you again!!

3 Likes

Did you set them up with same Microsoft account? Perhaps it is a rogue plug-in / extension for Edge that gets auto-setup between each Edge using your account? Or even a rogue program masquerading as an antivirus (which has option to inspect https traffic). Do you get same problem if using a browser like Firefox? Perhaps some unusual rogue in your router if common to all browsers? Sorting it out is well beyond scope of this forum but I wish you good luck.

2 Likes

I think at that stage I'd admit defeat and hire a local IT administrator (someone with extensive microsoft experience) to have a look at your systems. Clearly you already know computers, but maybe not quite what's needed here (and perhaps nobody here would know either). Note that you are entitled to support from Microsoft, so you should definitely contact them.

2 Likes