Sign domain certificate like an intermediate certificate authorities

kyungmin.kim · March 10, 2022, 4:56am

Hello,

Can I use letsencrypt client to sign my domain certificate like an intermediate certificate authority?
(to sign www.mydomain.com using r3 certificate.)

ISRG Root X1 > R3 > community.letsencrypt.org

rg305 · March 10, 2022, 5:43am

No.
Only server authentication and client authentication "roles" are supported.

Osiris · March 10, 2022, 7:14am

Let's Encrypt does not offer subsidiary CAs from their chain of trust.

Also, the intermediate certificates used have the pathlen set to 0:

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0

(Source: Chain of Trust - Let's Encrypt)

That means that any certificate signed by R3 or E1 can never be a certificate with "CA:TRUE", so any cert issued by R3 or E1 can not be used to sign other certificates.

Topic		Replies	Views
Using a letsencrypt certificate as a signer Help	10	2821	March 30, 2023
Questions for Crosssigning of Letsencrypt and IdenTrust Issuance Tech	5	2559	May 31, 2017
Is there a way to keep domain bound to specific intermediate Issuance Tech	8	866	January 2, 2021
Creating intermediate certificate Help	2	1053	June 26, 2022
Where is Let’s Encrypt Authority X3 intermediate certificate by ISRG Root X1? Server	6	5037	May 19, 2016

Sign domain certificate like an intermediate certificate authorities

Related topics