Idea Regarding Communication of Root Certificate Authority

Client dev
1

First, I just have to say what you are doing is beyond awesome, way into the heroic, something that shows humans are better creatures than anyone could ever figure. Not only is your objective fantastic, your innovative, complete, intelligent implementation is just so great, I just want to tip my hat, then fall to ground to kowtow. Since money talks and we all know what walks, I made a small donation as gesture.

I have an idea for adding a comment to the notes produced when issuing certificate that might help people understand how this works more easily. I don't know if you ever experienced this, but SSL setup can be pretty flipping confusing if it something you are not doing all the time. Almost all explanations of what is involved are horrible. Most of the the time, there are mistakes, but when nothing is wrong, the explanations are nearly always baffling. One of the things I am so excited about with letsencrypt is the coherant, complete way you explain things, but it is not perfect yet.

The problem I ran into, I have seen some questions about this, is I was wondering how the certificates from letsencrypt are tied to trusted CA certificates. This came up while sorting through messages produced in issuing a certificate

Your cert is in /root/.acme.sh/example.com/example.com.cer
Your cert key is in /root/.acme.sh/example.com/example.com.key
The intermediate CA cert is in /root/.acme.sh/example.com/ca.cer
And the full chain certs is there: /root/.acme.sh/example.com/fullchain.cer

I was tracking these through the installation process, and started wondering.....

Put yourself in the shoes of someone who just bought a cert a few days ago. These are the files I got from that:

AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt

All of a sudden, I was wondering where the root authority comes from. I thought I needed a cert for it, which I know is dumb, but...
Maybe those files from the commercial provider are misnamed, since the CARoot authority is not part of what my ssl bundle needs, but it definitely caused me to start looking for CARoot-something when I used letsencrypt. I wanted to make sure I have all the pieces I need, which I now understand I do.

Help People See Their Way Through
So, the idea to clear that up would be to add a note in the output listing all those files to indicate where the CARoot is coming from and the the fact that it is not part of what goes in a chain file and for more info... provide a link. Like this:

Your cert is in /root/.acme.sh/example.com/example.com.cer
Your cert key is in /root/.acme.sh/example.com/example.com.key
The intermediate CA cert is in /root/.acme.sh/example.com/ca.cer
And the full chain certs is there: /root/.acme.sh/example.com/fullchain.cer
***** that is everything you need. The root certificate authority tied to your certs is IdenTrust's DST X3 root, which is already in browsers and other clients. For more information on how this works... (link).**

1 Like
2

I see you’re using acme.sh. You can always open an issue on acme.shs github page.

3

You never need the root certificate your browser has. A browser needs its own copy of the root certificate to verify that the chain of child certificates is really signed by the root.

But some commercial CAs have been around awhile, so they've needed to bring up new roots when the old ones expire or use insufficiently modern cryptography. Some of them, such as Comodo in your example, will sign their new roots with their old roots, so you can just include the new root in the chain and get your site supported in older browsers that don't know about the new root yet. Newer browsers will just ignore the new root and use their copy, and eventually you can just leave off the new root once it's in all the browsers you care about.

So when you get the certificate from Comodo, they will give you the whole chain as far back as they can make it go, for maximum compatibility. But providers like CloudFlare that focus on speed won't bother sending the older roots because they don't support these older browsers for other reasons (e.g. because they don't support TLS1.0+, SNI or ECC). This is why Comodo gives you the files separately, so you can figure it out like CloudFlare did if you want.

So you don't ever need a root certificate in your chain, but sometimes root certificates are also intermediate certificates, so you do. There's no way for you to know this, you just have to trust Comodo and acme.sh to give you the right stuff.

And understand that different CAs do things differently so it will always be different. :upside_down_face:

1 Like
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.