The fullchain.cer created by acme contains three certificates:
cat fullchain.cer #I list part of each certificate
Please explain the role of each file here.
The first is your certificate.
The second is the intermediate (R3)
The third is the cross-signed root certificate (ISRG Root X1)
They make a chain up to a root certificate that is saved on the client. The third one is only needed on Android.
The first the my server side certificate,
The second is the intermediate (R3),
The third is CA certificate ?
Yes, and no.
It's a root cert that chains to another root cert (thus the term "cross-signed").
Some systems will short circuit the chain verification (stopping once they have found a trusted entry) and some don't know that CA and continue onto the next link in the chain (the other CA).
Let's Encrypt has also made an attempt at explaining this in more detail at
I don't know if that additional detail will be helpful or not.
Another way of explaining this is based on the ROLE each certificate plays in the path:
The third "cross-signed root certificate" is included to handle situations in which the "ISRG Root X1 Certificate" is not available in the local Trust Store. In these scenarios, the "cross-signed root" does not function as the CA Certificate (or Trusted Root Certificate), but instead as an (Untrusted) Intermediate Certificate. The "Trust" comes from being (cross) signed by the DST X1 Certificate, which will act as the trusted CA Certificate.
So there are 2 general trust paths:
I think that is a very helpful way to describe it, @jvanasco.
It's fair to say that Let's Encrypt's strategy here is unusual in comparison to more commonly encountered trust chains, because of the DST root certificate expiration last year. Most trust chains do not attempt to rely on expired root certificates.
@yufeiluo, the reason for this unusual situation is that Let's Encrypt determined that it could help to maximize compatibility with older devices that do not receive software updates. This is a complicated discussion which was analyzed in some detail here on the forum last year, in topics related to the DST root certificate expiration. It especially has to do with the behavior of Android clients.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.