|
|
|
|
|
|
by rocqua
2628 days ago
|
|
|
I'm not an expert of certificates, but some quick skimming of https://tools.ietf.org/html/rfc5280#section-4.1 suggests that a certificate only references the issuer certificate by name. Since, according to the article, the two different Lets encrypt intermediates have the same key, and the same name, they are interchangeable?
As in, could I just replace the intermediate in my cert-chain and have everything continue smoothly? The end of the article suggests that this can't happen, but I can't quickly find what would stop this from happening. |
|
|
On my blog ( https://theandrewbailey.com/ ), I have a "health check" page that includes all available trust chains. For my Let's Encrypt certificate, it shows 2: one through an intermediate to the DST Root, and another intermediate to the ISRG Root. I can verify that both exist and are used (though one certificate and intermediate are loaded and served): the current Firefox release (and all other browsers I've tried) uses the DST root, but Firefox Developer Edition uses the ISRG root.
It seems to make sense: certificates don't sign certificates, keys sign certificates (more specifically, certificate requests). I don't see an obvious reason that a single certificate request can't be signed more than once. If one is, trust should flow through either certificate, since the certificate says that the signer verified that the holder has the associated private key, and if that private key signed another certificate, it should not matter which intermediate the trust goes through, so long as the root on the other end is trusted.