I ran my first cert renewal this morning following the switch from X3 to R3 intermediate...
Having read some of the posts in recent months, I was expecting to see R3 signed by the ISRG root, but I'm seeing it as signed by the DST root.
It's working just fine for me at the moment, but I'm curious as to why I didn't get the DST root and whether there's anything I need to do differently in future?
I'm using CertifyTheWeb on Windows, latest version of the client. Wildcard certificate with manual DNS verification. Client configured to install the issued certificate to the local certificate store only - I'm then exporting the full chain & using OpenSSL to split the resulting PFX into various .pem and .key files for a few different applications.
As a side note, my current method seems to include the root in the certificate chain (above the intermediate), which I know is wrong, but I haven't found an ideal fix for this yet. I could manually edit the .pem files to remove the root, but not sure about whether I need to do anything with the PFX in that instance.
I only realised recently that in addition to the certificate store, I think it leaves a copy of the PFX elsewhere, so I need to check if that one includes the root and if not, probably start using that copy instead.
I'm relatively new to Let's Encrypt (and certs in general) - first cert 10/08/19...