When configuring a web server, the server operator configures not only theĮnd-entity certificate, but also a list of intermediates to help browsers verify The two is by looking at their Issuer field. One is signed by DST RootĬA X3 and the other is signed by ISRG Root X1. Having cross-signatures means that each of our RSA intermediates has twoĬertificates representing the same signing key. Root has been around longer and thus has better compatibility with older devicesĪnd operating systems (e.g. (now called “TrustID X3 Root”) for additional client compatibility. Point, but our RSA intermediates are still cross-signed by IdenTrust’s “ DST Root CA X3”
Our RSA intermediates are signed by ISRG Root X1. The private key of that pair generates the signature for all end-entityĬertificates (also known as leaf certificates), i.e.
Let’s Encrypt Authority X4 ( RSA 2048, O = Let's Encrypt, CN = Let's Encrypt Authority X4)Įach of our intermediates represents a single public/private. Let’s Encrypt Authority X3 ( RSA 2048, O = Let's Encrypt, CN = Let's Encrypt Authority X3). Let’s Encrypt Authority X2 ( RSA 2048, O = Let's Encrypt, CN = Let's Encrypt Authority X2). Cross-signed by IdenTrust: der, pem, txt. Let’s Encrypt Authority X1 ( RSA 2048, O = Let's Encrypt, CN = Let's Encrypt Authority X1). Let’s Encrypt E2 ( ECDSA P-384, O = Let's Encrypt, CN = E2). Let’s Encrypt R4 ( RSA 2048, O = Let's Encrypt, CN = R4). Let’s Encrypt E1 ( ECDSA P-384, O = Let's Encrypt, CN = E1). Cross-signed by IdenTrust: der, pem, txt (Retired). Let’s Encrypt R3 ( RSA 2048, O = Let's Encrypt, CN = R3). IdenTrust has cross-signed our RSA intermediates for additional compatibility. We do not use the X1, X2, X3, and X4 intermediates anymore. Our other intermediates (“R4” and “E2”) are reserved for disaster recovery and will only be used should we lose the ability to issue with our primary intermediates. In the future, issuance from “E1” will be available for everyone. Under normal circumstances, certificates issued by Let’s Encrypt will come from “R3”, an RSA intermediate.Ĭurrently, issuance from “E1”, an ECDSA intermediate, is possible only for ECDSA subscriber keys for allowlisted accounts. We’ve set up websites to test certificates chaining to our active roots. Cross-signed by ISRG Root X1: der, pem, txt. ISRG Root X2 ( ECDSA P-384, O = Internet Security Research Group, CN = ISRG Root X2). Cross-signed by DST Root CA X3: der, pem, txt. ISRG Root X1 ( RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1). We issue end-entity certificates to subscribers from the intermediates in the next section.įor additional compatibility as we submit our new Root X2 to various root programs, we have also cross-signed it from Root X1.
0 kommentar(er)
