We are using Let's Encrypt before to sign our SSL certificates. However, because of the "shortening" change, we are not able to sign it using DST Root CA X3.
I attempted to sign our certificates using "ISRG Root X1".
However, when I import the certificate, it it has a ECDSA Signature. I was expecting RSA instead but somehow not able to use the correct intermediate and root certificates. Would you able to point me in the correct direction?
This is what I am trying to do:
sapgenpse import_p12 -p SAPSSLS_n1 -r intermidiate.crt -r root.crt SSL_certificate.p12
Question is, how do download the correct intermidiate and root cert to use ISRG Root X1 -> RSA Intermediate (R10 or R11)?
Nothing to do with roots, you seem confused about what DST Root CA X3 did, and the intermediates can (and will) change with each renewal.
If you want an RSA certificate, then you need to tell certbot that with --key-type RSA. By default you get ECDSA, since that works with most systems now.
I'm not familiar with the system you're trying to import it into, but certbot puts the leaf certificate into cert.pem, and the intermediate(s) into chain.pem. You shouldn't need to do anything with the root to set up a server, that's only used by clients (which generally already have it in their system's trust store).
Just adding a bit to Peter's good comment ... once you request an RSA cert you do not need to specify the --preferred-chain. Currently there is only one chain for RSA certs. See the Let's Encrypt chain docs here
I have a feeling you don't fully grasp how certificates and the web PKI work. You can download all the intermediates and roots you want (their available at Chains of Trust - Let's Encrypt), but the thing that matters is how and by what key your end leaf certificate is signed. With the recent change, all RSA end leaf certificates are signed by an RSA intermediate and all ECDSA end leaf certificates are signed by an ECDSA intermediate.
So your question is not "how do I download intermediates and roots", but "How do I get the correct end leaf certificate signed by an RSA intermediate". Which is already answered by Peter above
And to re-iterate to be absolutely clear: the ACME server, through the ACME client, provides the correct intermediate certificate with the signed end leaf certificate. So there is no need to manually download intermediates and roots and especially do not manually change any chain. It's provided by the ACME client, just use that.
Certbot will give you pem format files for your certificate components (private key, intermediate chain, cert etc) and you are likely running something (such as openssl) to convert that to a p12 archive.
A p12 archive (often also called PFX) can optionally contain your cert, all required intermediates, and your private key. So if your p12 is already complete with intermediates (and it looks like you also want the root included) you won't need the -r components.
I suspect somewhere you are using a pre-existing intermediate file instead of using the current intermediate that certbot has written out for you under /live/
