Need the Intermediate and Root Cert Chain

Yes, I'm not using the help template. I know.

I administer a Unisys Clearpath MCP mainframe environment that does not support certificate automation. I need to have the intermediate and roots certificates pre-installed in my trusted certificate store.

Where can I find those certificates?

I've been doing this for a long time and have worked with multiple CAs. I know how to run my system. I'm having some trouble finding this information within Let's Encrypt.

I think you're just looking for the Chains of Trust documentation page.

Trust stores should in general only need the root certificates, since servers that the clients connect to should provide the intermediates in the chain. But if you're talking about mainframes it may be that they do things off the beaten path of the rest of the WebPKI.

Yes, the certs are on that page. Thanks. They are not explicitly marked like I've seen with every other CA I have used.

Legacy mainframe systems do work very differently.

Not everything using TLS is a web service.

You may also want to Subscribe to the "Technical Updates" newsletter, to be notified whenever Let's Encrypt creates new intermediates and roots.

Thank you. Done.

What explicit markings would you have in mind?

Every other CA I've worked with has a link to the zip file containing the intermediate and root certs. The link is marked as something like "To download the Root and Intermediate Cert Chain click here".

Perhaps it's time to update that page: Chains of Trust - Let's Encrypt
It appears that all the cert links are from crt.sh [which is not performing at 100% these days].
Most requests return me:

Well, not all of them. The der, pem, and txt links are not, for example. But, agree crt.sh has been so unreliable for some time an alternate option would be nice.

On my browsers it is not obvious which are links on that page ... but I digress :slight_smile:

Let's Encrypt is intended to be used via API, and that is provided along with the certificate in our API. Whatever tool you're using to use Let's Encrypt should provide them to you, along with the certificate.

Our chains may not be the same per-issuance - we have multiple intermediates active, and they change annually. It is error-prone and usually a bad idea to have something like a ZIP file that contains one chain - which would we provide?