Root certificates

I have successfully generated my wildcard certificate however i am using it for an app which requires certificate,key and root parameters
Screen Shot 1401-01-16 at 11.36.59
however when i generated my certificate with lets encrypt i only got two parameters certificate and private key when i run "sudo certbots certificates" i get this results
Certificate Path:/etc/letsencrypt/live/fullchain.pem
Private key Path:/etc/letsencrypt/live/privkey.pem.
i am guessing the certificate given by lets encrypt is the root certificate as it says full chain, where can i find the other certificate?Please correct me if i am wrong

fullchain.pem has at least three different certificates.

  • Yours
  • The intermediate (most commonly, it's called R3)
  • A cross signed root certificate (most commonly, ISRG Root X1)

The root certificate itself is not there.

But it all depends on your app. What does that setting do? Is it used to validate OCSP responses? Is it used to telli it "trust this no matter what"? I can't know that.


it is used to tell it "trust this no matter what" the three different certificates in the fullchain.pem are the written in that order and where can i find the root certificate

that depends on what chain you told your acme client to use.

  • If you are using the default chain (AKA "the long RSA chain"), the root certificate is DST Root X3
  • If you are using the short RSA chain, the root certificate is ISRG Root X1 (the self-signed one, not the cross signed one -- one key, two certificates)
  • If you are using the (uncommon) ECDSA chain, the root certificate is either the self-signed ISRG Root X2, or ISRG Root X1 once again.

You can find them all on this page:

1 Like

But, depending on your OS and app, you probably have them already.

1 Like

Hi @kweku, and welcome to the LE community forum :slight_smile:

Root certs should never be sent by anyone [especially while providing a leaf cert that relies on that root].
Your O/S should have a way to keep the root cert list updated.


2 posts were split to a new topic: Generating Certs with Heroku

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.