Signing of the new intermediates


@jsha When will the new intermediates be signed by the ISRG Root X1?


Why would they? The new intermediates were created because of buggy behaviour Windows XP. The ISRG Root X1 signed intermediates don’t have that problem.


There is the following problem: ALL server certificates are now signed by the X3 intermediate, which means that they currently DON’T chain up to the ISRG Root X1 root CA, since the X3 is not signed by ISRG. So, if someone would like to utilize the ISRG root, they cannot, if they have server certificates from the X3, so a signature is needed, I think. When the ISRG root is trusted, I understand that the X3 would no longer be useful. But we have time ahead until that is done…


In a few months. We need to hold a key ceremony to bring our root online, and that requires a fair amount of advance planning and coordination. We’ll probably do it about the same time we generate an ECDSA root and intermediates.

Where is Let’s Encrypt Authority X3 intermediate certificate by ISRG Root X1?

but wouldnt you also need your root “ready” to sign CRLs/OCSPs for the root itself (regarding validity of the intermediates)?


The CRL is signed every 3 months it seems:

Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=US/O=Internet Security Research Group/CN=ISRG Root X1
        Last Update: Feb 23 12:00:00 2016 GMT
        Next Update: May 23 12:00:00 2016 GMT

So I guess that doesn’t matter with regard to the intermediate signing ceremony.

Inclusion of ISRG Root

well “in a few months” can mean on the next CRL update because as obvious as it might seem, the private root key is needed for both.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.