Step 5, Signed Certificate Chain 3 certs

Question

Step 5, Signed Certificate Chain 3 certs

ChrisDaemon opened this issue 3 years ago · comments

Tried it 3 times and my wildcard cert generation workflow produces 3 cert files.
They seem to be "domain.crt", "indermediate.pem", and the third one's...?

The only notable thing I can point out is the third one prints this...

X509v3 Key Usage: critical
                Certificate Sign, CRL Sign

coupontom · Answer 1 · Sun May 23 2021 04:53:19 GMT+0800 (China Standard Time)

I noticed the same thing. I ended up installing the last two in the intermediate cert section for how my hosting imports certs. The SSL Checker on SSLShoper says the cert is installed correctly. I didnt notice any issues with Chrome, Firefox, Safari, Android Chrome as well.

I would love to understand more about what changed though.

243826 · Answer 2 · Thu Jul 14 2022 05:30:44 GMT+0800 (China Standard Time)

Third one seems to be a root/CA cert. Your browser should already have it. You should be fine with just the first and the second cert. I was; But out of curiosity I installed the third one as well and nothing changed in terms of the browser experience.

Daniel Roesler · Answer 3 · Thu Jul 14 2022 08:52:34 GMT+0800 (China Standard Time)

Correct, the root cert is included by Let's Encrypt by default, since that root cert is also cross-signed by a previous older root cert, since the newer root cert may not be included in older Android devices. For newer devices that have the newer root cert, this doesn't affect anything, since the root cert is trusted already, so it is ignored.

https://letsencrypt.org/2020/12/21/extending-android-compatibility.html