Let's Encrypt Staging Root


#1

Is the staging root certificate (CN=Fake LE Root X1) available somewhere?

I’m writing some tests and I need to validate the full chain and therefore I need the root certificate to complete the chain.


Adding the staging certificate to browsers
#2

Hello @kintner,

You can find it here https://acme-staging.api.letsencrypt.org/acme/issuer-cert or here http://cert.stg-int-x1.letsencrypt.org/

Keep in mind that the certificate is in der (binary) format, if you want to convert it to pem format you could do it using something like this:

curl -s https://acme-staging.api.letsencrypt.org/acme/issuer-cert | openssl x509 -inform der -outform pem -out FakeLERootX1.pem

or

curl -s http://cert.stg-int-x1.letsencrypt.org | openssl x509 -inform der -outform pem -out FakeLERootX1.pem

Cheers,
sahsanu


#3

Thanks @sahsanu but that’s the intermediate certificate, right?

$> curl -s  https://acme-staging.api.letsencrypt.org/acme/issuer-cert | openssl x509 -inform der  -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            8b:e1:2a:0e:59:44:ed:3c:54:64:31:f0:97:61:4f:e4
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Fake LE Root X1
        Validity
            Not Before: Mar 23 22:59:04 2016 GMT
            Not After : Mar 23 22:59:04 2036 GMT
        Subject: CN=Fake LE Intermediate X1

I’m looking for certificate that issued this certificate. A root certificate is issued by itself unless I’m missing something here.


#4

Sorry, I didn’t read your question properly. I don’t know if Fake LE Root X1 cert is publicly available maybe @jsha could help here :wink:


Configuring node.js to use the Fake LE Root X1 CA
#5
curl http://cert.stg-root-x1.letsencrypt.org/ | openssl x509 -inform der -outform pem -text

#6

Thanks @jsha and @sahsanu! That’s exactly what I was looking for.


#7

Shouldn’t the CA Issuers link lead one all the way to the root?
The one in the staging intermediate points to itself…

curl http://cert.stg-int-x1.letsencrypt.org/ | openssl x509 -inform DER -outform PEM -text | grep ‘CA Issuers’

CA Issuers - URI:http://cert.stg-int-x1.letsencrypt.org/


#8

Yep, this is a problem with the Fake LE Intermediate that we’re working on fixing.


#9

Any update on this? It looks like the link to the root cert is still missing.


#10

The root is still there. Please double check your command.

It should output a certificate like “Fake LE Root X1”


#11

@dol are you talking about the HTTP header Link: rel="up"? If so, it’s expected that the root certificate is not referenced in that way, because ACME clients are supposed to build certificate chains by following the Link headers, and such chains are not supposed to include the root.