Identrust root download link


Any thoughts about that issue?

ZImbra SSL certificate renew

@lestaff, does anyone have any thoughts about this as a policy issue? Is there a reason that the IdenTrust root must be downloaded from the IdenTrust site itself? (Maybe it better reassures people that they’re getting the correct file?)


Maybe add a hash verification (for the really paranoid)?
[oh no! I’ve said too much…]


Not sure it will help, because the hash will come from the same source.

And I don’t see a thread model here, but, I feel it’s important to indicate the source of the file so visitors can check it themselves if they need to. But I think it’s equally important that Let’s Encrypt keep control the download too: if the website says you can download the file “there” but “there” is no file…

That’s why my proposal was:

DST Root CA X3 (download .pem, .p7b or on


I don’t think there is anything technically or legally preventing us from doing this, but I’d prefer to leave it on their site. I don’t see the duplication as particularly helpful, and it makes organizational associations more clear.

They have a new website now that’s a lot nicer than the old one, fwiw.


But where has the DST X3 root gone to? It’s not literally named on the download page.


It’s hidden behind the “Root Certificate Download” link of the “TrustID X3” section… and it’s a file in p7b format…

I understand, but it means be dependant of that website. I have an alternative proposal:

DST Root CA X3 download on (or, alternatively, you can download a copy here: .pem, .p7b)


  • the website is clearly highlighted as the main source
  • but users can still download it if that website changes or if they need it in another format

The only alternative would be something like:

DST Root CA X3 download on (hopefully using the “Root Certificate Download” link of the “TrustID X3” section, which is the new commercial name of that root)

Or a direct link to (the direct link to the file) but it may be as easily broken and is as close as hosting the file yourself.


But that’s not clear at all!

Also, OpenSSL doesn’t like the file at all too:

osiris@erazer ~ $ openssl pkcs7 -print_certs -in trustidrootx3_chain.p7b 
unable to load PKCS7 object
139828462591552:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:708:Expecting: PKCS7
osiris@erazer ~ $ 

I wouldn’t mind a “normal” PEM-file on the Let’s Encrypt site…


try with -inform der :slight_smile:


Uch, tried that for the regular x509 OpenSSL utility, didn’t try it for the pkcs7 utility. :blush:


@josh I’ve submitted a proposal:

closed #12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.