Thanks again.
Hmm. So once the DST Root expires, the CRL won't get updated anymore? I wonder if that will cause this same kind of issue again for these clients that broke during this incident, unless the server they connect to switch to the "alternate" chain before then? I know there are some expected issues with old OpenSSL once the expiration happens, but I'm wondering if people might see something more widespread with these other clients that are checking CRLs? Or will they stop checking the CRLs when they see the root is expired as long as ISRG Root X1 is in their trust store?
I was trying to play around with this scenario in the staging environment (which has an expired DST-Root-X3-equivalent to help with testing this, right?), and The Staging-Pretend-Pear-X1-signed-by-Staging-Doctored-Durian-X3 cert lists a CRL of http://stg-dst3.c.lencr.org/ but that URL returns a 404 for me. Is that what will happen for http://crl.identrust.com/DSTROOTCAX3CRL.crl once the root expires, that it will turn into a 404? Or will there be some CRL there "forever" just with an expired signature? Or do we not know yet?