Question about cert


It can be offtopic and not proper place for this type of questions but..

I have lets encrypt certificate which is signed by Intermediate CA R3, which in turn is signed by ISRG.

PEM encoded cert contains only my end-entity certificate for domain, and when i open this cert in Windows Crypto Viewer, they show also R3 cert!

I was searching for answer why the R3 cert is visible in my end-entity cert. I'm aware of that the windows can show intermediate certificate and so on by parsing the "Issuer" field from my end-entity cert, but.. my OS dont have R3 certificate in magazines. So where did windows get this certificate?

Thank you.

1 Like

I'm not familiar with Windows, but they could have cached it from any previously encountered certificate chain send by any webserver.

1 Like

Thank you!

I will read about it, now i know which direction should i go!


The Microsoft Cryptography API generally builds its own trust path according to internal algorithms. It searches for certificates (such as intermediates and roots) from the Windows certificate manager (certmgr.msc). The certificate manager collects and stores certificates from various sources, primarily from Microsoft servers. The Microsoft servers do collect well-known intermediates and distribute them to PCs.

Essentially, your Windows has either seen the R3 intermediate before and has saved it, or has loaded it from Microsoft servers and now uses it to build chains even if not provided in the file.