Root certificates

kweku · April 5, 2022, 12:10pm

I have successfully generated my wildcard certificate however i am using it for an app which requires certificate,key and root parameters
Screen Shot 1401-01-16 at 11.36.59
however when i generated my certificate with lets encrypt i only got two parameters certificate and private key when i run "sudo certbots certificates" i get this results
Certificate Path:/etc/letsencrypt/live/fullchain.pem
Private key Path:/etc/letsencrypt/live/privkey.pem.
i am guessing the certificate given by lets encrypt is the root certificate as it says full chain, where can i find the other certificate?Please correct me if i am wrong

9peppe · April 5, 2022, 12:34pm

fullchain.pem has at least three different certificates.

Yours
The intermediate (most commonly, it's called R3)
A cross signed root certificate (most commonly, ISRG Root X1)

The root certificate itself is not there.

But it all depends on your app. What does that setting do? Is it used to validate OCSP responses? Is it used to telli it "trust this no matter what"? I can't know that.

kweku · April 5, 2022, 1:12pm

it is used to tell it "trust this no matter what" the three different certificates in the fullchain.pem are the written in that order and where can i find the root certificate

9peppe · April 5, 2022, 1:25pm

that depends on what chain you told your acme client to use.

If you are using the default chain (AKA "the long RSA chain"), the root certificate is DST Root X3
If you are using the short RSA chain, the root certificate is ISRG Root X1 (the self-signed one, not the cross signed one -- one key, two certificates)
If you are using the (uncommon) ECDSA chain, the root certificate is either the self-signed ISRG Root X2, or ISRG Root X1 once again.

You can find them all on this page:

9peppe · April 5, 2022, 1:33pm

But, depending on your OS and app, you probably have them already.

rg305 · April 5, 2022, 4:04pm

Hi @kweku, and welcome to the LE community forum

Root certs should never be sent by anyone [especially while providing a leaf cert that relies on that root].
Your O/S should have a way to keep the root cert list updated.

jillian · April 5, 2022, 9:30pm

2 posts were split to a new topic: Generating Certs with Heroku

system · May 5, 2022, 9:31pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
RSA certificate for SAP SSL Help	5	141	September 14, 2024
Howto obtain a full certificate chain without a cross-signed ISRG Root X1 Help	3	5377	October 31, 2021
Are you storing full chain or eliding the root? Client dev	11	625	February 16, 2024
Wildcard certificates:- Full chain and key. singles are cert, chain and key Issuance Policy	13	15998	April 21, 2018
With '--preferred-chain "ISRG Root X1"' fullchain.pem doesn't contain the ISRG Root X1 certificate Help	7	3464	November 14, 2021

Root certificates

Related topics