I think it is a mistake to assume that the "intermediate" (i.e. your
ISRG Root X1 cross-signed by DST Root CA X3) is the same certificate as
your self-signed ISRG Root X1. The "intermediate" can only be chained
up to expired DST Root CA X3.
On 08-Jan-21 1:31 AM, Aaron Gable via dev-security-policy wrote:
Clients using OpenSSL 1.0.x were failing, because
they couldn't recognize that one of the intermediates in the chain was in
their own trust store.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy