Isrg Root X1 Download

0 views

Skip to first unread message

Gene Cryder

unread,

Aug 3, 2024, 4:02:17 PM8/3/24

to dimastade

Our root key material is kept safely offline. We issue end-entity certificates to subscribers from the intermediates described in the next section. All root certificate Subjects have a Country field of C = US.

We currently maintain four intermediates in active rotation. Subscriber certificates containing an ECDSA public key will be issued from one of the ECDSA intermediates; similarly, Subscriber certificates containing an RSA public key will be issued from one of the RSA intermediates.

Subscriber certificates with RSA public keys are issued from our RSA intermediates, which are issued only from our RSA root ISRG Root X1 (i.e. they are not cross-signed). Therefore, all RSA subscriber certificates have only a single chain available:

Subscriber certificates with ECDSA public keys are issued from our ECDSA intermediates, which are issued both (i.e. are cross-signed) from our RSA root ISRG Root X1 and our ECDSA root ISRG Root X2. Therefore we offer two chains for these certificates:

Let's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG). Read all about our nonprofit work this year in our 2023 Annual Report.

For several months, I have had users complaining that they can no longer access certain sub-domains of my site because of an expired SSL certificate. After checking, they are all under Windows NT or old versions of Mac OS or Android.

So I tried to follow the recommendations of this forum, I upgraded certbot to the latest version and regenerated the ssl certificates with this command "sudo certbot --nginx --preferred-chain "ISRG Root X1""

On my side everything works, however I don't know how I can check if the option has been taken into account. Is there a way to check it? In /etc/letsencrypt/live/ I have the files/shortcuts that have been updated (according to the date of the last modification). But I would like to be sure that the access to the subdomains is restored for the old devices.

But, to answer your question, you can see the chain your server sends with a site like below. If it ends in ISRG Root X1 (2 certs) it is the short chain, if in DST Root CA X3 (3 certs) it is the long chain.

Oh ok I see, thank you. After checking, I've switched to "ISRG Root X1". According to what you say, the old devices under Android will not be able to access it anymore but Windows NT and old mac OS devices will be able to access it again?

The default Let's Encrypt cert is the 'long chain' for a good reason and those people who can't use your site are also unable to use many other sites without warning message (such as this forum). If there are only a couple they might be happy to be guided on how to update their systems. The ISRG Root X1 root cert that they are missing has been out for over 5 years.

It's unlikely, I think, that ancient OSes have the ISRG Root X1 root certificate in their root certificate store. So for those very old OSes of which the root certificate store hasn't been updated since the ISRG Root X1 was accepted in major root certificate programs (approx. 5 years ago), it really doesn't matter which chain you're using. You can find out more about that here: Certificate Compatibility - Let's Encrypt

In the end, you might conclude Let's Encrypt is not the best free CA for your target audience. That said, other root certificates of other CAs also have this limitation one way or another. Maybe not now, but some day in the future, as root certificates will eventually expire. But maybe there is a different free CA better for your target.

Hi @schoen I've read this issue affects PCs running Windows XP (Service Pack 2) or earlier. I'm using Windows 7 Ultimate on my laptop and yet I'm running into the same issue on various websites when using Chrome (no problems with Firefox). Can you help? Thank you

So I downloaded the self-signed ISRG Root X1 .der file and successfully imported the ISRG Root X1 certficate but still getting the error message on some websites. I guess because I need to delete the DST Root CA X3 certificate as well? Would you know how I go about doing that? I'm a novice at all this. Thank you.

I have the isrgrootx1 file downloaded from your previous suggestion, but do you know what he means by "and put it on "Third Party Root Certification Authorities"". I couldn't find that option when I click on the file. Thank you for your help!

Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. It is the world's largest certificate authority,[3] used by more than 300 million websites,[4] with the goal of all websites being secure and using HTTPS. The Internet Security Research Group (ISRG), the provider of the service, is a public benefit organization.[5] Major sponsors include the Electronic Frontier Foundation (EFF), the Mozilla Foundation, OVH, Cisco Systems, Facebook, Google Chrome, Internet Society, AWS, NGINX, and Bill and Melinda Gates Foundation.[6] Other partners include the certificate authority IdenTrust,[7] the University of Michigan (U-M),[8] and the Linux Foundation.[9]

The mission for the organization is to create a more secure and privacy-respecting World-Wide Web by promoting the widespread adoption of HTTPS.[10] Let's Encrypt certificates are valid for 90 days, during which renewal can take place at any time.[11] This is handled by an automated process designed to overcome manual creation, validation, signing, installation, and renewal of certificates for secure websites.[12][13] The project claims its goal is to make encrypted connections to World Wide Web servers ubiquitous.[14] By eliminating payment, web server configuration, validation email management and certificate renewal tasks, it is meant to significantly lower the complexity of setting up and maintaining TLS encryption.[15]

On a Linux web server, execution of only two commands is sufficient to set up HTTPS encryption and acquire and install certificates.[16][17] To that end, a software package was included into the official Debian and Ubuntu software repositories.[18][19] Current initiatives of major browser developers such as Mozilla and Google to deprecate unencrypted HTTP are counting on the availability of Let's Encrypt.[20][21] The project is acknowledged to have the potential to accomplish encrypted connections as the default case for the entire Web.[22]

The service only issues domain-validated certificates, since they can be fully automated. Organization Validation and Extended Validation Certificates both require human validation of any registrants, and are therefore not offered by Let's Encrypt.[23] Support of ACME v2 and wildcard certificates was added in March 2018.[24] The domain validation (DV) utilized by Let's Encrypt dates back to 2002 and was at first controversial when introduced by GeoTrust before becoming a widely accepted method for the issuance of SSL certificates. [25]

By being as transparent as possible, the organization hopes to both protect its own trustworthiness and guard against attacks and manipulation attempts. For that purpose it regularly publishes transparency reports,[26] publicly logs all ACME transactions (e.g. by using Certificate Transparency), and uses open standards and free software as much as possible.[16]

The Let's Encrypt project was started in 2012 by two Mozilla employees, Josh Aas and Eric Rescorla, together with Peter Eckersley at the Electronic Frontier Foundation and J. Alex Halderman at the University of Michigan. Internet Security Research Group, the company behind Let's Encrypt, was incorporated in May 2013.[8]

On January 28, 2015, the ACME protocol was officially submitted to the IETF for standardization.[28]On April 9, 2015, the ISRG and the Linux Foundation declared their collaboration.[9]The root and intermediate certificates were generated in the beginning of June.[29]On June 16, 2015, the final launch schedule for the service was announced, with the first certificate expected to be issued sometime in the week of July 27, 2015, followed by a limited issuance period to test security and scalability. General availability of the service was originally planned to begin sometime in the week of September 14, 2015.[30] On August 7, 2015, the launch schedule was amended to provide more time for ensuring system security and stability, with the first certificate to be issued in the week of September 7, 2015 followed by general availability in the week of November 16, 2015.[31]

On September 14, 2015, Let's Encrypt issued its first certificate, which was for the domain helloworld.letsencrypt.org. On the same day, ISRG submitted its root program applications to Mozilla, Microsoft, Google and Apple.[32]

On November 12, 2015, Let's Encrypt announced that general availability would be pushed back and that the first public beta would commence on December 3, 2015.[33] The public beta ran from December 3, 2015[34] to April 12, 2016.[35] It launched on April 12, 2016.[36][37][5]

On March 3, 2020, Let's Encrypt announced that it would have to revoke over 3 million certificates on March 4, due to a flaw in its Certificate Authority software.[38] Through working with software vendors and contacting site operators, Let's Encrypt was able to get 1.7 million of the affected certificates renewed before the deadline. They ultimately decided not to revoke the remaining affected certificates, as the security risk was low and the certificates were to expire within the next 90 days.[39] The mass-revocation event has significantly increased the global revocation rate.[40]

In June 2015, Let's Encrypt announced the generation of their first RSA root certificate, ISRG Root X1.[44] The root certificate was used to sign two intermediate certificates,[44] which are also cross-signed by the certificate authority IdenTrust.[7][45] One of the intermediate certificates is used to sign issued certificates, while the other is kept offline as a backup in case of problems with the first intermediate certificate.[44] Because the IdenTrust certificate was already widely trusted by major web browsers, Let's Encrypt certificates can normally be validated and accepted by relying parties[29] even before browser vendors include the ISRG root certificate as a trust anchor.