Store issuer certificate once for shared bundling


#1

I’m managing several thousand certificates through a custom implementation. Right now every time I am issued a new certificate, I retrieve the issuer from the rel=“up” link header and bundle that together with the certificate and store it. The bundling is leading to a lot of duplicate storage. I was curious if it was safe to just grab the issuer and store it once, then use that to bundle all certificates issued from Let’s Encrypt on the fly so I don’t have all that duplicate storage.

When the issuer certificate reissues at some point in the future, will that new issuer certificate work with LE certificates previously issued? Any other concerns with this approach? Trying to figure out the best way to manage this.

Thanks in advance!


#2

In principle, all certificates are signed by the issuer Let's Encrypt Authority X1. Only in very rare occasions, certs are signed by the X2 intermediate. (When the X1 is revoked et cetera, dooms-day scenario…)

As you can see on https://letsencrypt.org/certificates/ the intermediate certificates come in two forms:

  1. Official LE X1 cert, signed by ISRG Root X1. This one isn’t recognised currently, therefore:
  2. Cross-signed by IdenTrust, but this cert has the same CommonName as the “official” intermediate certificate.

Therefore, it’s possible to have two trusted chains once the official ISRG Root certificate is trusted in browsers. The “legacy” IdenTrust certificate will be trusted too: they have the same public key, so can verify the same issued certificates…

Hopefully this clarifies some matters :slightly_smiling: