When will the Root/Intermediate Certs be available

I see the R3 intermediate expiring on Sept 29 and the DST Root CA X3 on Sept 30. We have an automation that brings down the new wildcard and full chain certs every sunday but the only cert updated thusfar is the 90 day one. Trying to plan for the updates for my servers for the root/intermediate and wanted to know when it would be available.

Thank you.


The R3 intermediate expiring Sept 29 has already been retired. The R3 intermediate currently in use is the R3 intermediate signed by the ISRG X1 root, valid till Sep 15 2025.

See for more info: Chain of Trust - Let's Encrypt and Production Chain Changes


Thanks Osiris! So the new Root/intermediate are available now and signed by ISRG then correct? If so we would just need to "chain" our wildcard to this new cert? Sorry for the questions this was all setup by a former staff member that left and took all the knowledge of the process with him. Any help on how to get the new root/intermediate added to our wildcard would be appreciated. Also the version of the cert we have with the ISRG is a .cer extension. Do I need to get the .pfx from LE?

1 Like

For quite some time now, yes.

Usually, this is done automatically by the ACME client used. In most circumstances one lets the ACME client manage the chain, as this is directly provided by the ACME server.

He/she might have not set up your certificate environment in a recommended way, as it sounds your certificate chain was not updated since Let's Encrypt has enabled the new chain(s) back in May.

All the required certificates can be found on the "Chain of Trust" page I linked above. However, it's better to let your ACME client do it. But how that's done is really ACME client dependend.

The extensions of the certificate/chain files is usually not important. Sometimes the extensions signal the encoding of the file, such as .pem (a PEM encoded cert/key). Or for example a .p12 file extension signals the file contains a PKCS #12 archive. But .cer doesn't really signal anything really.

The ACME servers provide the certificate/chain as PEM files as far as I know. No .pfx files. .pfx also suggests a PKCS #12 archive which usually contains the private key. But that private key is not available to Let's Encrypt, so Let's Encrypt couldn't even provide a PKCS #12 archive containing the private key, even if it wanted to.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.