Root certificate is still showing as DST Root CA X3 in windows

gauthamgorla · September 24, 2021, 7:48pm

HI everyone,
currently I have problem where all the browsers on mac OS show
ISRG

how ever on windows it shows:

DSR Root as the root.
would this be issue on sept 30th ?

Bruce5051 · September 24, 2021, 7:56pm

Only if you are using it.
Also using Windows, Linux, Apple, or Android are an issue aside from any SSL Certificates. :cynical:

rmbolger · September 24, 2021, 8:05pm

This is related to how Windows chooses to build trust chains. But you shouldn't have any problem after the 30th.

gauthamgorla · September 24, 2021, 8:18pm

thank you for the reply, do you mind sharing some insights on this ? I want to be 100% instead of being sorry.

rmbolger · September 24, 2021, 8:49pm

I can only speak from observed experience and the testing others in this community have done. Microsoft doesn't really publish any documentation about how the underlying OS chooses to build trust chains.

Your server is currently serving the default android-compatible chain which includes the DST signed ISRG Root X1 as an intermediate.

$ openssl s_client -connect uat.xchgema.com:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = uat.xchgema.com
verify return:1
---
Certificate chain
 0 s:CN = uat.xchgema.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

So technically speaking, Windows is adhering closer to the chain served by your server than your Macs are. But the chain served by the server is largely a suggestion and things like web browsers can choose to verify the chain however they want.

If you don't care about early Android compatibility, you could reconfigure your server to stop serving that DST signed ISRG Root X1. But Windows will likely still verify the chain up to the DST root until it actually expires unless you do something like un-trust the DST Root on that Windows machine.

system · October 24, 2021, 8:50pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Fixing Windows installs that don't receive updates to their trusted roots Help	43	23555	November 8, 2021
DST vs ISRG Chain as default? Issuance Tech	8	1782	May 24, 2021
ISRG vs DST Root on R3 Issuance Tech	13	2418	March 7, 2021
[Fix] DST Root CA Expired - IOS and Android not working - IIS Help	10	2774	November 18, 2021
How to change DST Root CA X3 to ISRG Root X1 on windows Help	2	763	November 19, 2021

Root certificate is still showing as DST Root CA X3 in windows

Related topics