Recommendation on client-side trusted root CA certificates

Recently renewed server certs has 'Let’s Encrypt R3' intermediate cert

The intermediate CA certificate is found to be cross-signed by IdentTrust via openssl.

At the Letsencrypt Chain of Trust page, the same 'Let’s Encrypt R3' intermediate certificate could also be signed with root CA 'ISRG Root X1'.

I got a little bit confused here, please help shed a light into it.

1, Is there a plan/roadmap to use root CA 'ISRG Root X1' signed intermediate certificate 'Let’s Encrypt R3'?

2, what is the list of recommended root certificates to add into client-side trusted CA certificate store, 'ISRG Root X1', IdentTrust, or both? Do we better to add intermediate CA certificates as well?

3, It seems not a great idea to add intermediate certificates alone into trusted store. Say, the old 'Let’s Encrypt Authority X3' was retired. If client side trust store only contains this cert and the store isn't updated quick enough, then at the renewal of server certificate TLS will fail suddenly.

4, the IdentTrust root certificate 'O=Digital Signature Trust Co., CN=DST Root CA X3' will expire on Sep 30, 2021. will there be a new IdentTrust root CA certificate before the expiration? or Letsencrypt will phase out IdentTrust completely in favor of 'ISRG Root X1'? Thanks,


That's the default intermediate certificate you will receive if you issue a certificate today. I misread the question.

You can get it today using the "alternate chain"/"preferred chain" functionality in your ACME client. Or by substituting the intermediate in your certificate bundle file by hand, which amounts to the same thing.

From January 11, 2021, it will become the default.

ISRG Root X1, ISRG Root X2 and DST Root CA X3 are all good candidates to include in a root store, in order to be future-proof.

Do not add intermediates to root stores, they don't belong there.


Indeed. The latest that it will be possible to get a certificate chain containing an Identrust-signed intermediate certificate will be around July 1, 2021.

The default certificate chain will be changing to "ISRG Root X1" in a matter of weeks - January 11, 2021.

From then until July, it will be still possible to get the Identrust-signed intermediates using the alternate chain functionality in ACME.


For information on the transition from the DST root to ISRG's own roots, check out this blog post:

When talking about what specific roots you want to put in a trust store (while I think that ISRG Root X1 & ISRG Root X2 are likely excellent choices), I think you need to start with a bit more detail on why you're building your own trust store rather than relying on a platform's built-in store. Maintaining a trust store is a generally a long-term commitment as roots change over the years, and occasionally roots need to change on short notice (if a key is compromised or an organization turns out to be untrustworthy).

You might want to read through this thread of some things to think about when embedding a trust store in devices (which might not be your use case, but this might be enlightening anyway):

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.