KeyStore / ISRG Root X1

When requesting a certificate were returned the following Root CA

ISRG Root X1
Expires: Sep 30 2024 18:14:03 GMT
Serial: 40:01:77:21:37:d4:e9:42:b8:ee:76:aa:3c:64:0a:b7

Were in the process of updating/adding the new LetsEncrypt "ISRG Root X1" (a bit of an overhead) to our application keystores, we would just like to confirm that we wouldn't have any issues in the future loading the following Root CA (basically to take advantage of the extended expiry date)

ISRG Root X1
Expires: Jun 04 2035 11:04:38 GTM
Serial: 82:10:CF:B0:D2:40:E3:59:44:63:E0:BB:63:82:8B:00

Im sure I can and shouldn't be an issue seeing that LetsEncrypt are already disturbing the cert but I would just like confirmation.

1 Like

I'm not sure what information you're looking for beyond what's on the Chain of Trust page.

If your applications have trust stores that are challenging to update (like an embedded device type scenario), it's generally recommended to have at least one other CA in your trust store too, possibly one you run yourself, just in case there's some problem (procedural, technical, financial, or otherwise) with getting Let's Encrypt certificates in the future. But if all you're looking for is how to add Let's Encrypt's roots, then yes you just need ISRG Root X1. (Though I would also add ISRG Root X2 while I was at it, but then again I'm irrationally excited about using ECDSA.)

1 Like

Welcome to the Let's Encrypt Community, Reid :slightly_smiling_face:

It never ceases to amaze me when I read the word "new" associated with this:

Not Before: Jun 4 11:04:38 2015 GMT

https://crt.sh/?id=9314791

I can confirm though that you have mentioned the correct root certificate. I'm referring to the second one you mentioned, which is a true root certificate as @Nummer378 describes below.

The ISRG Root X2 certificate that @petercooperjr is suggesting that you additionally add is this one:

https://crt.sh/?id=3335562555

Thank you

1 Like

Thank you for both replying

1 Like

You are quite welcome. :blush:

I think @Nummer378 has some additional useful information coming, so stay tuned.

1 Like

This is ISRG Root X1 signed by DST Root CA X3 - a cross sign of ISRG Root X1. Given that it's not self signed, it's not a root certificate by BR definition.

This is the actual root certificate. Both certificates share the same keypair though.

When adding certificates to your trust store, you should prefer the self-signed version of ISRG Root X1, as that's less likely to cause trouble later (not only is the self signed version valid for longer, it's issuer field also points to itself, which helps some validators).

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.