ISRG Root X1 replaces DST Root CA X3?


We've been installed the ISRG Root X1 and R3.
Our DST Root CA X3 expire in two days, and it's not renovated in the Let's Encript website.
Can we asume the ISRG Root X1 replaces DST Root CA X3 ?


1 Like

Hello @Nummer378,
I understand what your saying.
In my SAP system an alert pops up that the certificate is going to expire.
My question is:
Can I delete the DST Root CA X3 certificate because I already have the ISRG Root X1 installed?

What do you mean with "installed"? What's the situation? Is your system a CLIENT or a SERVER? I just don't understand the situation, due to lack of information.

Please enlighten us by describing your situation as detailed as possible.


Hello there,
In the SAP servers, we have imported the certificates to be able to communicate with other clients.
As we have imported the DST Root CA X3 certificate, we get an alert saying that it will expire on September 30.
We have imported the new ISRG Root X1 and R3 certificates.
Can we remove the DST Root CA X3?

Check the chain being served by the SAP services (which your SAP GUI etc will connect to), or your web interface (NetWeaver?). If it's no longer using DST Root CA X3 (it is Your Cert > R3 > ISRG Root X1 , not Your Cert > R3 > ISRG Root X1 > DST Root CA X3) and all your clients are happy with that then you don't need DST Root CA X3 anymore.

On a local machine you can check your service using (port 443 is the example but you may be using a different port):
openssl s_client -showcerts -connect -servername

There are two versions of ISRG Root X1, one is self signed and the other is cross signed by DST Root CA X3. The cross signed one is used as an intermediate and is more compatible with some older clients that don't know about ISRG Root X1.

So you need to choose whether you still need the longer DST Root CA X3 chain or whether you can just use ISRG Root X1 (self signed).

Note that is you are still seeing a chain of Your Cert > R3 > DST Root CA X3 this will become invalid tomorrow, so I think you'd need to add the current R3 and remove the old one (issued by DST Root CA X3).


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.