Let's Encrypt ssl cert management via Dehydrated with tsig dns-01 verification and Sophos UTM update hooks. USE AT YOUR OWN RISK! This package is not meant to be used on production servers or by inexperienced users. I assume no liability if something goes wrong while you use this package. Sophos-utm-letsencrypt Backup! Before you start make a backup of your configuration in case something goes wrong or the wrong certificate is overwritten.

Last updated:

Our roots are kept safely offline. We issue end-entity certificates to subscribers from the intermediates in the next section.For additional compatibility as we submit our new Root X2 to various root programs, we have also cross-signed it from Root X1.

• Active
  • ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1)
    • Self-signed: der, pem, txt
    • Cross-signed by DST Root CA X3: der, pem, txt
• Active, limited availability
  • ISRG Root X2 (ECDSA P-384, O = Internet Security Research Group, CN = ISRG Root X2)
    • Self-signed: der, pem, txt
    • Cross-signed by ISRG Root X1: der, pem, txt

We’ve set up websites to test certificates chaining to our active roots.

• ISRG Root X1

• ISRG Root X2

Under normal circumstances, certificates issued by Let’s Encrypt will come from “R3”, an RSA intermediate.We have also issued a new ECDSA intermediate (“E1”) and started issuing from it for internal testing. In April 2021, we will make ECDSA issuance publicly available with an account-based allow-list. This page will be updated soon on how get an account on the allow-list.

Our other intermediates (“R4” and “E2”) are reserved for disaster recovery and will only be used should we lose the ability to issue with our primary intermediates.We do not use the X1, X2, X3, and X4 intermediates anymore.

IdenTrust has cross-signed our RSA intermediates for additional compatibility.

• Active
  • Let’s Encrypt R3 (RSA 2048, O = Let's Encrypt, CN = R3)
    • Signed by ISRG Root X1: der, pem, txt
    • Cross-signed by IdenTrust: der, pem, txt
• Active
  • Let’s Encrypt E1 (ECDSA P-384, O = Let's Encrypt, CN = E1)
    • Signed by ISRG Root X2: der, pem, txt
• Backup
  • Let’s Encrypt R4 (RSA 2048, O = Let's Encrypt, CN = R4)
    • Signed by ISRG Root X1: der, pem, txt
    • Cross-signed by IdenTrust: der, pem, txt
  • Let’s Encrypt E2 (ECDSA P-384, O = Let's Encrypt, CN = E2)
    • Signed by ISRG Root X2: der, pem, txt
• Retired
  • Let’s Encrypt Authority X1 (RSA 2048, O = Let's Encrypt, CN = Let's Encrypt Authority X1)
    • Signed by ISRG Root X1: der, pem, txt
    • Cross-signed by IdenTrust: der, pem, txt
  • Let’s Encrypt Authority X2 (RSA 2048, O = Let's Encrypt, CN = Let's Encrypt Authority X2)
    • Signed by ISRG Root X1: der, pem, txt
    • Cross-signed by IdenTrust: der, pem, txt
  • Let’s Encrypt Authority X3 (RSA 2048, O = Let's Encrypt, CN = Let's Encrypt Authority X3)
    • Signed by ISRG Root X1: der, pem, txt
    • Cross-signed by IdenTrust: der, pem, txt
  • Let’s Encrypt Authority X4 (RSA 2048, O = Let's Encrypt, CN = Let's Encrypt Authority X4)
    • Signed by ISRG Root X1: der, pem, txt
    • Cross-signed by IdenTrust: der, pem, txt

Each of our intermediates represents a single public/privatekey pair. The private key of that pair generates the signature for all end-entitycertificates (also known as leaf certificates), i.e. the certificates we issuefor use on your server.

Our RSA intermediates are signed by ISRG Root X1. ISRG’s root is widely trusted at thispoint, but our RSA intermediates are still cross-signed by IdenTrust’s “DST Root CA X3”(now called “TrustID X3 Root”) for additional client compatibility. The IdenTrustroot has been around longer and thus has better compatibility with older devicesand operating systems (e.g. Windows XP, Android 7). You can download “TrustID X3 Root” fromIdenTrust (or, alternatively,you can download a copy from us).

Having cross-signatures means that each of our RSA intermediates has twocertificates representing the same signing key. One is signed by DST RootCA X3 and the other is signed by ISRG Root X1. The easiest way to distinguishthe two is by looking at their Issuer field.

When configuring a web server, the server operator configures not only theend-entity certificate, but also a list of intermediates to help browsers verifythat the end-entity certificate has a trust chain leading to a trusted rootcertificate. Almost all server operators will choose to serve a chain includingthe intermediate certificate with Subject “R3” andIssuer “DST Root CA X3.” The recommended Let’s Encrypt software,Certbot, will make this configuration seamlessly.

See Full List On Github.com

This certificate is used to sign OCSP responses for the Let’s Encrypt Authorityintermediates, so that we don’t need to bring the root key online in order tosign those responses. A copy of this certificate is included automatically inthose OCSP responses, so Subscribers don’t need to do anything with it. It isincluded here for informational purposes only.

• ISRG Root OCSP X1 (Signed by ISRG Root X1): der, pem, txt

Our newer intermediates do not have OCSP URLs (their revocation information isinstead served via CRL), so we have not issued an OCSP Signing Cert from ISRG Root X2.

GitHub - Kyse/letsencrypt-sophosutm-dns: Let's Encrypt Ssl ...

Let's Encrypt Integration – Sophos Ideas

We are dedicated to transparency in our operations and in the certificates weissue. We submit all certificates to Certificate Transparencylogs as we issue them. You can view allissued Let’s Encrypt certificates via these links: