What happened here?

Hello Folks,

i'm using the EFF Certbot along with the Cloudflare Plugin (DNS challenge). Recently, i discovered something unusual:

  1. I got an ECDSA certificate signed by R3. But according to the Let's Encrypts Chain of Trust, only E1 should sign ECDSA certificates, right? Or did i misunderstood something here?

  2. This certificate is not listed in crt.sh database (the certificate has been issued 2 weeks ago).

Can someone explain what happened here?

BR,
Giga

Signing of ECDSA certs by E1 is opt-in only. If you're not on the opt-in list, your cert will be signed by R3, even if it's an ECDSA cert.

This is actually mentioned on the Chain of Trust page you've linked to by the way..

Crt.sh is backlogged a lot, depending on the CT log. See https://crt.sh/monitored-logs for current backlogs. One of the active Google CT logs is even backlogged 45 days!

There are other CT log aggregators, see Certificate Transparency Search Resources for more of them.

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.