Why are LE full chain certs still bundled with ISRG Root X1

I'm listing this in the "Help" category although this isn't a specific help request.

I noticed when recently convering over to use apache's mod_md that there are three certificates in the chain that gets built:

  • My own cert
  • R3
  • ISRG Root X1 (which is in the trust store)

An additional chain is found:

  • My own cert
  • R3
  • ISRG Root X1
  • DST Root CA X3 (in the trust store, but expired)

According to ssllabs, the only path that would require ISRG Root X1 to be included are those in the case where ISRG Root X1 was signed by DST Root CA X3. DST Root CA X3 expired Sep 30, 2021

So we're basically sending along a signed copy of ISRG Root X1, when it should already be in everyone's trust store. Can someone explain the logic to this?

I checked here: Chain of Trust - Let's Encrypt and it doesnt seem to address the expiry of a root ca cert.

Because some android clients don't check the expiration for DST Root CA X3 and don't have ISRG Root X1.

There is a comparison between the two chains: Long (default) and Short (alternate) Certificate Chains Explained

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.