search

rmbolger / Posh-ACME

PowerShell module and ACME client to create certificates from Let's Encrypt (or other ACME CA)
https://poshac.me/docs/latest/
MIT License
778 stars 190 forks source link

fullchain.pfx does not contain all certificates #581

Closed mikkebjo closed 1 week ago

mikkebjo commented 3 weeks ago

It seems like the fullchain.pfx only contains two certificates in stead of three. image

this is what it used to look like: image

Is this expected or a bug? :)

rmbolger commented 3 weeks ago

Hey @mikkebjo, thanks for reaching out. The two screenshots you posted are technically from different CAs (Let's Encrypt Prod vs Let's Encrypt Staging). That said, the chain of trust for Let's Encrypt certs has become shorter somewhat recently due to the expiration of the cross-signed root issued by DST Root CA X3. The latest you would have seen the change should have been around June 2024 when LE stopped issuing certs with that chain. However, the cross-sign didn't actually expire until the end of September.

More info on the whole thing is here: https://letsencrypt.org/2023/07/10/cross-sign-expiration/

rmbolger commented 3 weeks ago

You may also notice that the intermediate certs have changed as well from R3 to either R10 or R11. Or if you're using EC certs, they would be issued from E5 or E6. The issuing cert is now randomized between the two issuers for each type. https://letsencrypt.org/certificates/