Let’s encrypt’s certificate is based of the “DST Root CA X3” root certificate. But there exist two different versions of this certificate!?
The version of the certificate in Windows cert. store (7 & 10) has the serial no:
44afb080d6a327ba893039862ef8406b!
The version in e.g. Chrome cert. store, and the one’s your Let’s-Encrypt-signed certificates are based on, have the serial no:
0a0141420000015385736a0b85eca708
I would expect these would be the same…what’s the explanation of this?
I assume this mean applications checking for the trusted CA root certificate in the Windows cert. store (in contrast to the browser cert. store) will not see the Let’s Encrypt cert as trusted
E.g. MS Office applications.
IIRC chrome use OS’s cert store with some chrome specific blacklist.
and those two certificate uses different hash algorithm, windows is sha1, ‘chrome’ one is sha256
Ahh…so to get less certificate problems with e.g. Office applications I should use SHA1 when creating my LE certificates, although they’ll be less secure?
In my particular case it’s a server certificate on my POP3 server, and it’s a problem if Outlook, or other mails clients, doesn’t trust the certificate right away.
And in regards to your answer, are you sure Chrome doesn’t have it’s own collection of certificates?
How do you explain my screen-dumps, the Chrome cert. was taken from the Chrome cert. store?
The signature algorithm of the root certificate doesn't count as it's self signed.
Also you can't choose. I guess they both have the same public/private key? So it doesn't matter anyway : your cert will be signed by a intermediate, and that intermediate says "I'm signed from with “ DST Root CA X3 ”" so as long as the name and public key is correct, it's trusted.
It’s issued by DST Root CA X3 but it’s not DST Root CA X3. In the screenshot, you can see the “Subject” field describing what it’s for near the bottom of the scrolly thing.
The screenshot in the right, with the certificate with a serial number beginning with 44, is DST Root CA X3.
