Recently renewed server certs has 'Let’s Encrypt R3' intermediate cert https://letsencrypt.org/certificates/.
The intermediate CA certificate is found to be cross-signed by IdentTrust via openssl.
At the Letsencrypt Chain of Trust page, the same 'Let’s Encrypt R3' intermediate certificate could also be signed with root CA 'ISRG Root X1'.
I got a little bit confused here, please help shed a light into it.
1, Is there a plan/roadmap to use root CA 'ISRG Root X1' signed intermediate certificate 'Let’s Encrypt R3'?
2, what is the list of recommended root certificates to add into client-side trusted CA certificate store, 'ISRG Root X1', IdentTrust, or both? Do we better to add intermediate CA certificates as well?
3, It seems not a great idea to add intermediate certificates alone into trusted store. Say, the old 'Let’s Encrypt Authority X3' was retired. If client side trust store only contains this cert and the store isn't updated quick enough, then at the renewal of server certificate TLS will fail suddenly.
4, the IdentTrust root certificate 'O=Digital Signature Trust Co., CN=DST Root CA X3' will expire on Sep 30, 2021. will there be a new IdentTrust root CA certificate before the expiration? or Letsencrypt will phase out IdentTrust completely in favor of 'ISRG Root X1'? Thanks,