On Thu, Jan 07, 2021 at 09:31:17AM -0800, Aaron Gable wrote:
> In cases where we expect OpenSSL to be validating the chain, we expect that
> ISRG Root X1 is also in the trust store (unlike older versions of Android,
> where we know that it hasn't been added). As such, there will be two
>
I think it is a mistake to assume that the "intermediate" (i.e. your
ISRG Root X1 cross-signed by DST Root CA X3) is the same certificate as
your self-signed ISRG Root X1. The "intermediate" can only be chained
up to expired DST Root CA X3.
On 08-Jan-21 1:31 AM, Aaron Gable via
In cases where we expect OpenSSL to be validating the chain, we expect that
ISRG Root X1 is also in the trust store (unlike older versions of Android,
where we know that it hasn't been added). As such, there will be two
certificates in the chain which are also in the local trust store: ISRG
Root
On 2021-01-07 01:48, Aaron Gable wrote:
As mentioned in the blog post, and as we'll elaborate on further in an
upcoming post, one of the drawbacks of this arrangement is that there
actually is a class of clients for which chaining to an expired root
doesn't work: versions of OpenSSL prior to
As mentioned in the blog post, and as we'll elaborate on further in an
upcoming post, one of the drawbacks of this arrangement is that there
actually is a class of clients for which chaining to an expired root
doesn't work: versions of OpenSSL prior to 1.1. This is the same failure
mode as various
I'm curious whether this approach of cross-signing from a root
certificate which has already expired is exceptional for Let's Encrypt.
I'm not aware of any discussion on what conditions this approach could
be accepted by Mozilla and other root certificate programs. Or, is it
just an usual
We (Let's Encrypt) just announced a new cross-sign from IdenTrust which is a
bit unusual because it will extend beyond the expiration of the issuing root.
More details can be found here:
https://letsencrypt.org/2020/12/21/extending-android-compatibility.html
Best,
Josh
7 matches
Mail list logo
