Inconsistent DST root certificate (Windows <-> browsers)

Let’s encrypt’s certificate is based of the “DST Root CA X3” root certificate. But there exist two different versions of this certificate!?

The version of the certificate in Windows cert. store (7 & 10) has the serial no:
44afb080d6a327ba893039862ef8406b!

The version in e.g. Chrome cert. store, and the one’s your Let’s-Encrypt-signed certificates are based on, have the serial no:
‎0a0141420000015385736a0b85eca708

Those two have the same name and “Valid to” date.

I would expect these would be the same…what’s the explanation of this?

I assume this mean applications checking for the trusted CA root certificate in the Windows cert. store (in contrast to the browser cert. store) will not see the Let’s Encrypt cert as trusted :frowning:
E.g. MS Office applications.

IIRC chrome use OS’s cert store with some chrome specific blacklist.
and those two certificate uses different hash algorithm, windows is sha1, ‘chrome’ one is sha256

Ahh…so to get less certificate problems with e.g. Office applications I should use SHA1 when creating my LE certificates, although they’ll be less secure?

In my particular case it’s a server certificate on my POP3 server, and it’s a problem if Outlook, or other mails clients, doesn’t trust the certificate right away.

And in regards to your answer, are you sure Chrome doesn’t have it’s own collection of certificates?
How do you explain my screen-dumps, the Chrome cert. was taken from the Chrome cert. store?

The signature algorithm of the root certificate doesn’t count as it’s self signed.

Also you can’t choose. I guess they both have the same public/private key? So it doesn’t matter anyway : your cert will be signed by a intermediate, and that intermediate says “I’m signed from with “ DST Root CA X3 ”” so as long as the name and public key is correct, it’s trusted.

1 Like

certificate menu in chrome option just opens windows cert store, chrome doesn’t have own cert store. Except some whitelist for EV certs.

In your screenshot on the left, the certificate with the serial number that starts with 0a is the Let’s Encrypt Authority X3 internediate certificate.

https://crt.sh/?id=15706126

It’s issued by DST Root CA X3 but it’s not DST Root CA X3. In the screenshot, you can see the “Subject” field describing what it’s for near the bottom of the scrolly thing.

The screenshot in the right, with the certificate with a serial number beginning with 44, is DST Root CA X3.

https://crt.sh/?id=8395

They’re both necessary, but they’re two completely different certificates for different purposes.

2 Likes

OK…I must have fooled around with the mouse :stuck_out_tongue: