Is there a way to keep domain bound to specific intermediate

There are a few intermediates in the production LE. Is there a way to bound a domain to one of these, ex. Let's Encrypt Authority X3?

Hi @KrystianK

that's client specific.

If you use Certbot, --preferred-chain is your option.

I'm using acme4j 2.8 and I do not see any option like that, but how that work for certbot :thinking: - is there an LetsEncrypt API, or it can be done somehow on the client side (client setup or LE certificate processing) ?

Looking at the Certbot -preferred-chain checks alternate links - what effectively means CA in case of LE as I can see that response from LetsEncrypt returns DST Root CA X3 by default and gives you alternate to ISRG Root X1 - but still using R3 intermediate. Is it possible to get all combinations of [X3, R3] x [DST, ISRG] somehow?

You can choose which root to use (DST Root CA X3 or ISRG Root X1), but you can't choose which intermediate is used for signing. Your client should be downloading and installing the intermediate that's used with each renewal. The intermediate they used recently changed from X3 to R3, and they could change to a backup intermediate at any time if needed. You can't rely on it staying the same from one certificate to the next.

1 Like

IIRC, the certs you download are cross-signed by the active intermediates. The "alternate" links are just giving options for the chain (intermediate) certificate to use with the certificate.

It seems these are cross-signed by root CAs, and which intermediate you're landing on is kind of random from client point of view.

What does that mean? I think using the term cross-signing isn't very useful here.

It's better to think in "private keys" where every common name of an intermediate corresponds with a certain private key (keypair actually of course, but the private key does the signing). So "Let’s Encrypt Authority X3" is a private key which used to be used for signing and nowadays the "R3" private key is used.

And those private keys can be "outfitted" in different certificates, signed by the own organisation or "cross-signed" from outside the organisation, i.e. with a different root private key. But the private key will remain the same.

As such, there's no such thing as "cross-signing leaf certificates" as the private key doing all the signing remains the same.

Which private key used for signing the leaf certs is up to the CA and can change at any point. Which intermediate certificate corresponding with that private key may be up to the client, but should never be hardcoded.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.