hi
my ssl certificate expires on 15 march .i had renewed it on 15 december. i have read in a blog that lets encrypt is switching to new CA root .. i want ask when will this happen. if i renew my certificate now will i be able to use new root CA for my IOT application ? (will this new Root CA be valid for next 20 years?)
2 Likes
Hi @danny1
see
The old intermediate certificate - that's the X3.
The new is the R3, based on the X1. So check, if the X1 is imported.
1 Like
As you can see from the Chain of Trust document linked by @JuergenAuer, the currently used ISRG Root X1 is valid until a date in 2035 and the upcoming ISRG Root X2 (ECDSA) is valid until a date in 2040. So both roots will not be valid for the next 20 years (X2 is a year short 
).
2 Likes
Hi
Thank you for your useful answer
hello thank you for your useful reply ... R3 is based on ISRG X1 ..so when i download the .pem file from R3 this means that this root certificate is valid untill 2035? kindly help me in this matter i am confused. when i click on my certificate details in morzrilla fox ...i see 3 certficates my domain, R3 , and DST Root CA X3.. which one should i download i am confused.... because R3 and DST Root CA X3 says validity untill Oct-2021... but you told R3 is valid untill 2035.... all i can download is .pem file..
Response will be highly appreciated
1 Like
HI R3 is based on ISRG X1 ..so when i download the .pem file from R3 this means that this root certificate is valid untill 2035? kindly help me in this matter i am confused. when i click on my certificate deatils in morzrilla fox ...i see 3 certficates my domain, R3 , and DST Root CA X3.. which one should i download i am confused.... because R3 and DST Root CA X3 says validity untill Oct-2021... but i am told R3 is valid untill 2035.... all i can download is .pem file..
Response will be highly appreciated
Your domain name is required if you want help.
I don't see a problem. There is no need to download root certificates.
PS: Read
PPS: Oh, already shared. So you know all you need.
hello my question is R3 is based on ISRG X1 ..so when i download the .pem file from R3 this means that this root certificate is valid untill 2035? kindly help me in this matter i am confused. when i click on my certificate deatils in morzrilla fox ...i see 3 certficates my domain, R3 , and DST Root CA X3.. which one should i download i am confused.... because R3 and DST Root CA X3 says validity untill Oct-2021... but i am told R3 is valid untill 2035.... all i can download is .pem file..
Response will be highly appreciated
You should never need to serve a root certificate.
No one should ever accept root certs from random web servers either.
R3 is an intermediate certificate - and it should be served with your leaf cert.
If you use certbot, the fullchain.pem will always contain the leaf and intermediate(s).
As for the expiration dates, each cert has its' own expiration.
The root is always the longest expiration.
It issues certs to the intermediates to authorize them - those will always expire before the root does.
Then the intermediates do all the work and sign all the certs that we all use on our webservers, etc.
Those certs will expire in 90 days [far less life than the intermediates].
2 Likes
Thank you for your useful reply.. i am developing an IOT application and for that i need to use root certificate.. i cant use simple ssl fingerprint as you mentioned it expires very soon. so i am downloading root certificate to validate the https and it works fine as i do not have to update firmware often.. but my question was, i see three different .pem file and they all look different to me .. which one should i download to have longer validity
1 Like
if then you should use your own CA as backup ( keep the key in safe) and root certificate isrg root x1
1 Like
I don't think you understand how encryption works.
OR I don't quite understand what your asking.
The useful cert lasts only 90 days.
It will expire and must be renewed [replace by new cert].
That file is the cert.pem file.
The intermediate cert can be found alone in the chain.pem file.
OR combined with the cert.pem[+chain.pem] in the fullchain.pem.
Which is the file that most modern systems use for encryption.
There is also the privkey.pem which is the [only] private key that can decrypt anything that was encrypted with your public key [found in your public cert = cert.pem].
If you are trying to PIN a trusted certificate, do not PIN the cert.pem nor the chain.pem; as both can or do change very frequently.
You should only PIN the root, but that is not provided in any of those .pem files; as it can be found in any modern certificate store [which is where everyone should get their root certs from].
Also, when PINning you should always PIN an extra self-signed cert that you control - as a secondary safety measure in the event the root cert expires or is for whatever reason no longer trusted.
[never put all your eggs in one basket]
Cheers from Miami 
1 Like
do you have basic understaning of IOT systems?
It seems to me you do not understand my question ...if yes no need to answer
1 Like
I guess we are agreed:
Your question is already answered.
All done.
2 Likes
I hope you understand what i mean
What CAs that device will trust?
It has entire ca-certificates that has all the public trusted CA (what version then?) Or you pined some CA keys? If pinned what keys? (Tell hash of publickey not name as there are multiple X3 here
DST root X3 is root, letsencrypt X3 is intermediate
2 Likes
If it worked and then suddenly stopped working...
Then you must have been pinning the intermediate cert [which has recently changed]
If so, then you need to understand why pinning an intermediate is a very risky thing [and NOT recommended].
If it has never worked, then we may be talking about a whole different problem.
1 Like
