Let's Encrypt Root and Intermediate Certificate Transparency Links


Active Root Certificates

ISRG Root X1
Self-signed

Upcoming Root Certificates

ISRG Root X2
Self-signed
ISRG Root X2
Cross-signed by ISRG Root X1

Active Intermediate Certificates

Let's Encrypt Authority X3
Signed by ISRG Root X1
Let's Encrypt Authority X3
Cross-signed by IdenTrust
R3
Signed by ISRG Root X1
R3
Cross-signed by IdenTrust

Upcoming Intermediate Certificates

E1
Signed by ISRG Root X2

Backup Intermediate Certificates

Let's Encrypt Authority X4
Signed by ISRG Root X1
Let's Encrypt Authority X4
Cross-signed by IdenTrust
R4
Signed by ISRG Root X1
R4
Cross-signed by IdenTrust
E2
Signed by ISRG Root X2

Retired Intermediate Certificates

Let's Encrypt Authority X1
Signed by ISRG Root X1
Let's Encrypt Authority X1
Cross-signed by IdenTrust
Let's Encrypt Authority X2
Signed by ISRG Root X1
Let's Encrypt Authority X2
Cross-signed by IdenTrust

1 Like

Maybe the crt.sh links would make a good addition to https://letsencrypt.org/certificates/#intermediate-certificates (https://github.com/letsencrypt/website).

3 Likes

If you add CT log links, I recon you should add at least two from separate companies.

Adding CT log links is IMHO only really useful for transparancy reasons and with that reason in mind, I think we should not rely on just one external entity.

By the way, the Chain of Trust-page linked also by @_az above also contains a Certificate Transparency section at the bottom:

https://letsencrypt.org/certificates/#certificate-transparency

Now, it contains only "Issued by" crt.sh links. Perhaps we can expand that section.

4 Likes

For me the most useful part is being able to look at all the different certificate fields, not so much the transparency aspect

2 Likes

All good points. As with _az, my intention was simply quick reference of the certificate information. I feel like the crt.sh links would be best placed in their respective sections for quick access rather than at the bottom. While I definitely understand the spirit of fairness and robustness, I don't want to overcomplicate the content with too much redundancy. Anyone wishing to find the identical information elsewhere can readily do so.

As a note though, I ran into trouble looking up a couple of these intermediate certificates by their serial numbers with crt.sh. Might be something worth checking into.

@_az

I'll do a PR for this in the morning. :slightly_smiling_face:

I'll add the backups and roots too.

2 Likes

Which ones? If they haven't been submitted to logs yet, we should be able to do that ourselves.

3 Likes

None of the intermediate certificates that I listed that were signed by ISRG Root X1 could be found by their serial numbers. I found them searching by their common names (and weeding through the results).

1 Like

Yeah, searching by serial is annoying. I've found that just plugging the fingerprint (-fingerprint -sha256) into crt.sh works a lot better.

2 Likes

Why only those though?

1 Like

I assume it's related to how leading zeros are displayed (or not) in various software.

For example, if you take this serial:

$ curl -s https://letsencrypt.org/certs/lets-encrypt-r4.pem | openssl x509 -in - -noout -serial
serial=8A792250ABE52C526CEECF7FC942DD62

and try plug it into crt.sh, you get no results: https://crt.sh/?serial=8A792250ABE52C526CEECF7FC942DD62

Weird, right?

The ASN.1 representation though:

  13   17:     INTEGER 00 8A 79 22 50 AB E5 2C 52 6C EE CF 7F C9 42 DD 62                         b

If you include the leading zeros on the serial: https://crt.sh/?serial=008A792250ABE52C526CEECF7FC942DD62

it appears.

:man_shrugging:

3 Likes

To compensate for the sign bit of the highest nibble. Makes sense. I found myself trimming off the leading zeros of the hex representations of the RSA n and e when constructing the JWK for ACME registration.

3 Likes

What fields are you looking for that aren't in the "txt" version posted on https://letsencrypt.org/certificates/ ?

3 Likes

Good observation. I find that the webpage format is far superior to view on my phone though and offers many other features.

1 Like

Personally, I wouldn't add links to a third party site just for the information which already is available. Of course crt.sh adds some other information too like revocation status et cetera, but I don't think that's very useful for the intermediate certs.

2 Likes

Do you have anything against crt.sh, out of curiosity? You cited 4 links to that site yourself on the same page. I am actually curious.

1 Like

I don't personally, but I'm thinking more from the perspective of a company. I wouldn't want my company to look like it actually endorses some product. Or have some kind of thing resembling something like a "vendor lock-in". Don't forget crt.shis operated by Sectigo (part of Comodo Cybersecurity). They aren't an independent entitiy.

That's why I would recommend not adding too much from just one company or, if you want to add such stuff, add it from at least two. I.e., also add links to Googles certificate transparancy page or something.

3 Likes

That's true. I mean it is a free tool and I guarantee this site already contains at least a million links to crt.sh. It's mentioned in our #help template. Wonder if Let's Encrypt would be interested in their own CT log? :thinking:

Does one of the Let's Encrypt sponsors offer a CT log?

1 Like

Like I said, I'm not against the site. I use it too on this Community. But I think this Community (with external, non-LE-affiliated users) is a different story than putting it on your official website, which might have more "statement" to it.

They run multiple CT logs. Just not a CT log aggregator :stuck_out_tongue:

3 Likes

You did see this, right... :wink:

2 Likes

Nope, I did not.. :scream: :cold_face: :sweat_smile:

2 Likes