Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...


Daniel Nashed

New default Let’s Encrypt certificate chain with ISRG Root X1 root

Daniel Nashed – 10 February 2024 07:41:11

Let's Encrypt finally changed their default root certificate from DST Root CA X3 to ISRG Root X1.
The old root expired already 2 1/2 years ago, but was cross signed with the new chain.

Now finally Let's Encrypt uses the new root by default, which results in a shorter chain.
They have been using the older, longer chain to specially support older Android devices, which didn't have the X1 root in their trust store.

When you are using Let's Encrypt ACME and did not specify an alternate chain, there is nothing to change.
The new shorter certificate chain will be automatically used the next time the certificate is renewed.

But in case you set specific settings, you might now have to remove those settings, because they flipped the certificate chains.
The alternate chain is now the older longer certificate chain.

For Domino CertMgr the custom setting is "ACME Alternate Chain Suffix".

Important: If you made this change to get the shorter chain with the X1 root, you now have to remove the setting.

I have pasted an example of the new shorter chain below. The new root is valid until 2035.
You can now wait until your certificate is automatically renewed 30 days before expiration.
I just ensured I have no alternate chain suffix added in my TLS Credentials quickly renewed all my certificates manually by submitting the documents.

With CertMgr and the new TLS Cache introduced in Domino 12.0 certificate renewal happens automatically and the new certificate and chain is reloaded immediately.

-- Daniel

Image:New default Let’s Encrypt certificate chain with ISRG Root X1 root

Subject    : /CN=*
SAN        : *
Issuer     : /C=US/O=Let's Encrypt/CN=R3
Not Before : 2024.02.10 06:10:18
Not After  : 2024.05.10 06:10:17 (expires in 89.0 days)

Serial     : 03F7BCA6889AC180D5631C241DEC675A341E
Sign Alg   : sha256WithRSAEncryption
KeyUsage   : DigitalSignature
Extensions : BasicConstraints, KeyUsage, ExtKeyUsage
ExtKeyUsage: TLS Web Server Authentication, TLS Web Client Authentication
Key        : ECDSA NIST P-256
ASN1 OID   : prime256v1

OCSP       :

AuthKeyId  : 14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
SubjKeyId  : 1E:E4:F1:CF:1F:CF:2F:5A:25:6F:9B:E4:A6:DA:79:E6:73:3D:AA:4A
MD5        : EB:35:BE:75:09:94:BC:66:F3:F1:ED:95:F8:F3:12:C9
SHA1       : 7D:AB:9B:D9:54:FE:26:FB:07:4C:22:6A:16:46:BF:3B:EC:DE:C0:43
SHA256     : 74:8E:F6:18:93:FD:17:B7:FC:ED:D6:B3:1C:63:50:71:D3:0A:02:AD:15:89:4F:7D:D9:FB:94:C7:60:3F:CB:A9

Subject    : /C=US/O=Let's Encrypt/CN=R3
Issuer     : /C=US/O=Internet Security Research Group/CN=ISRG Root X1
Not Before : 2020.09.04 00:00:00
Not After  : 2025.09.15 16:00:00 (expires in 1.6 years)

Serial     : 912B084ACF0C18A753F6D62E25A75F5A
Sign Alg   : sha256WithRSAEncryption
KeyUsage   : DigitalSignature, CrlSign
Extensions : BasicConstraints, CA, KeyUsage, ExtKeyUsage
PathLen    : 0
ExtKeyUsage: TLS Web Client Authentication, TLS Web Server Authentication
Key        : RSA 2048 bit

CRL        :

AuthKeyId  : 79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
SubjKeyId  : 14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
MD5        : E8:29:E6:5D:7C:43:07:D6:FB:C1:3C:17:9E:03:7A:36
SHA1       : A0:53:37:5B:FE:84:E8:B7:48:78:2C:7C:EE:15:82:7A:6A:F5:A4:05
SHA256     : 67:AD:D1:16:6B:02:0A:E6:1B:8F:5F:C9:68:13:C0:4C:2A:A5:89:96:07:96:86:55:72:A3:C7:E7:37:61:3D:FD

Root       : /C=US/O=Internet Security Research Group/CN=ISRG Root X1
Not Before : 2015.06.04 11:04:38
Not After  : 2035.06.04 11:04:38 (expires in 11.3 years)

Serial     : 8210CFB0D240E3594463E0BB63828B00
Sign Alg   : sha256WithRSAEncryption
KeyUsage   : CrlSign
Extensions : BasicConstraints, CA, SelfSigned, KeyUsage
Key        : RSA 4096 bit

SubjKeyId  : 79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
MD5        : 0C:D2:F9:E0:DA:17:73:E9:ED:86:4D:A5:E3:70:E7:4E
SHA1       : CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8
SHA256     : 96:BC:EC:06:26:49:76:F3:74:60:77:9A:CF:28:C5:A7:CF:E8:A3:C0:AA:E1:1A:8F:FC:EE:05:C0:BD:DF:08:C6



    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]