惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
Simon Willison's Weblog
Simon Willison's Weblog
Microsoft Security Blog
Microsoft Security Blog
Y
Y Combinator Blog
The GitHub Blog
The GitHub Blog
Engineering at Meta
Engineering at Meta
F
Fortinet All Blogs
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
A
About on SuperTechFans
Last Week in AI
Last Week in AI
月光博客
月光博客
有赞技术团队
有赞技术团队
P
Proofpoint News Feed
MyScale Blog
MyScale Blog
Martin Fowler
Martin Fowler
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
C
Check Point Blog
U
Unit 42
The Register - Security
The Register - Security
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Hugging Face - Blog
Hugging Face - Blog
阮一峰的网络日志
阮一峰的网络日志
V
Visual Studio Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
D
DataBreaches.Net
WordPress大学
WordPress大学
aimingoo的专栏
aimingoo的专栏
H
Hacker News: Front Page
Recent Announcements
Recent Announcements
C
CXSECURITY Database RSS Feed - CXSecurity.com
Latest news
Latest news
小众软件
小众软件
P
Palo Alto Networks Blog
PCI Perspectives
PCI Perspectives
Security Latest
Security Latest
S
Secure Thoughts
Scott Helme
Scott Helme
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Threat Research - Cisco Blogs
P
Proofpoint News Feed
M
MIT News - Artificial intelligence
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Google DeepMind News
Google DeepMind News
Recorded Future
Recorded Future
O
OpenAI News
S
Securelist
云风的 BLOG
云风的 BLOG
H
Help Net Security
T
Troy Hunt's Blog

Let's Encrypt Community Support - Latest posts

Fail to renew NGINX cert Installing across 2 servers Transitioning to 45-day certs: How to handle certificates with >25 SANs (blocked by `tlsserver` limit) TSplus certificate installation error Certsage Urn:ietf:params:acme:error:malformed [Let's Encrypt Blog] A Post-Quantum Future for Let's Encrypt Guidance on Security Review for Let’s Encrypt Adoption 2026.06.03 CRLs Temporarily Missing Revoked Serials ACME 404 errors for existing end-to-end tests: “No such authorization” / “Certificate not found” Certbot fullchain missing intermediates Can't generate certificate - Unable to validate JWS Unable to renew certificate on RHEL 8 Lost where my certificate is renewed from Want get R13 (ISRG Root X1) with acme.sh or certbot script Error renewing certificates, Error finalizing order :: authorizations for these identifiers not found: Error getting certificates ACME 404 errors for existing end-to-end tests: “No such authorization” / “Certificate not found” Certificate creation failed with message [Fail to load resource from 'https://acme-v02.api.letsencrypt.org/acme/finalize/ SSL certificate expired Certbot Code 1, Installing AMP for MC on CachyOS Certonly --force-renewal Need newby help with getting cert for my nas with my zip file Creating ssl certificate synology IKEv2 (strongSwan) fails with Let's Encrypt YR2 chain (works with other servers / chain mismatch suspected) Client can't connect ikev2 server HTTP-01 and AWS challenge Trouble with dns-rfc2136 plugin Getssl hangs, Lets Encrypt not requesting token Has there been a recent change in order/authorization reuse behavior for the Classic profile? Invalid response from web address so cannot validate Having trouble getting LetsEncrypt certificate CertSage 3.3.1 Release Client authentication Renewal-hooks directory Scheduling cert renewal When will certbot renew next time? Deploy-hook error Rate limiting by certbot issues pfSense - Windows DNS Server (Not AD) - TSIG error with server: tsig verify failure Crt.sh not updating Crt.sh not updating How code the dns-persist-01 challenge Win-Acme and using their acme-dns works wiht Let’s Encrypt Account ownership Unraid management access and acces to containers via SSL New Certificate Fails with Unauthorized 403 Seeking Clarity and Consistency on Configuring HTTP-01 challenge for multiple domains Certifiate failing renewal Letsencrypt blocked in Iran Problem with http verification Cyber-attacks from the secondary verification source addresses Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: How will clients handle X2 by X1 cross certificate revocation HTTPS Certificate Renewal and Mixed Content Issues Affecting My Real-Time Morse Code Website Using Let’s Encrypt .conf Files and Nginx along with Certbot Forbidden by policy error generating the let’s encrypt certificate SSL Certificate installed for 1 of 2 domains Certbot renewal issues breaking my self-hosted video review portal Certificate apparently not working New certificate apparently not working Certbot 5.6.0 Release Would signing the key authorization with the ACME private key increase security? Lego 5.0.0 Release Certificate renewal incomplete: missing domains beeandlunetrading.com We can’t renew your Let’s Encrypt certificate automatically until the issue is resolved Is using preferred-chain "ISRG Root X2" still a good idea? Crypt::LE --delayed not being honored Intended audience for "tlsserver" profile 2026.05.08 Gen Y Cross-Certified Subordinate CAs missing serverAuth EKU Expired certs shut done websites Automatic renewal across multiple systems serving the same domain Account paused – Request to unpause domain exodus.digitalmansa.com Certificate for web theft phucnha.com DNS-PERSIST without spending an Order Certificate Expired, now I can't create a new one Account paused Invalid unpause URL I need to revoke a cert, how do i do this The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot LetsEncrypt Consultation SSL/TLS certificate Issue ISRG may have received a National Security Letter or FISA Court Order? Deactivating pending authorization Perhaps this domain is at risk group and is blacklisted on the Let's Encrypt side Certificate renewal error Azuracast letsencrypt error Certbot change provider from Sectigo to CertiNext Privacy policy still mentions disabled services Letsencrypt[.]top is squatting on the LE name and acting as a web client Cert renews not working anymore DNS Challenge failed incorrect TXT value FreeCert: a lightweight ACME management module for shared hosting and cPanel Certbot is rejecting its own specified _acme-challenge value Not able to renew certificates Issue of SSL Certificate fails Is there a CRL push infrastructure for Linux that can be hooked into? Today instantly SSL certificate problems CNAME and CAA clarification Safari won't trust Let's Encrypt certs Does Certbot support CNAME challenge? How does CNAME validation work vs DNS-01? ARI renewal-info Rate Limit Changes? "Generation Y" root program inclusion
Root Cert Protection and Signing Process for e.g. Intermediates or Cross-Signs of new Roots
@Osiris · 2026-04-19 · via Let's Encrypt Community Support - Latest posts

April 18, 2026, 8:59pm 1

kinda curious, how exactly are the Root certs handled, is that something the public is allowed to know?

while I assume that it is not QUITE as extreme as the DNSSec Root keys I would assume there is a similar idea, fully offline multiple people who have to be together to unlock different levels of access which are all needed to in the end get to however the root cert is protected right?

for reference, the DNSSec Process:
https://www.cloudflare.com/learning/dns/dnssec/root-signing-ceremony/

Osiris April 18, 2026, 9:05pm 2

Something like that as far as I know indeed. So called "root signing ceremonies". Look it up, there's probably info about it out there related to the web PKI too.

1 Like

The legal requirements that all public certificate authorities have agreed on - Let's Encrypt included - are documented in the Baseline Requirements from the CA/Browser Forum. Some excerpts:

6.1.1.1 CA Key Pair Generation
the CA SHALL:

  1. prepare and follow a Key Generation Script,
  2. have a Qualified Auditor witness the CA Key Pair generation process or record a video of the
    entire CA Key Pair generation process, and
  3. have a Qualified Auditor issue a report opining that the CA followed its key ceremony during
    its Key and Certificate generation process and the controls used to ensure the integrity and
    confidentiality of the Key Pair.

In all cases, the CA SHALL:

  1. generate the CA Key Pair in a physically secured environment as described in the CA’s
    Certificate Policy and/or Certification Practice Statement;
  2. generate the CA Key Pair using personnel in Trusted Roles under the principles of multiple
    person control and split knowledge;
  3. generate the CA Key Pair within cryptographic modules meeting the applicable technical and
    business requirements as disclosed in the CA’s Certificate Policy and/or Certification Practice
    Statement;
  4. log its CA Key Pair generation activities; and
  5. maintain effective controls to provide reasonable assurance that the Private Key was
    generated and protected in conformance with the procedures described in its Certificate
    Policy and/or Certification Practice Statement and (if applicable) its Key Generation Script.

4.3.1.1 Manual authorization of certificate issuance for Root CAs
Certificate issuance by the Root CA SHALL require an individual authorized by the CA (i.e. the CA
system operator, system officer, or PKI administrator) to deliberately issue a direct command in
order for the Root CA to perform a certificate signing operation.

Effectively, this boils down to a) having auditors present when you do critical things, b) storing your key securely, c) having access controls (multi-person, security etc) in place. This involves putting them on a Hardware Security Module, and additionally you may want to keep them offline when they're not needed. Precise details are not usually public.

As stated in the BRs, a CA must describe their practices in their Certification Practice Statement. As such, you will find some further information there. Quoting from Let's Encrypts CPS:

5.2.2 Number of persons required per task
A number of tasks, such as key generation and entering areas physically containing operating ISRG PKI systems, require at least two people in Trusted Roles to be present.

6.7 Network security controls

ISRG implements reasonable network security safeguards and controls to prevent unauthorized access to CA systems and infrastructure. ISRG complies with the CA/Browser Forum's Network and Certificate System Security Requirements. Identified vulnerabilities are responded to within 96 hours of review, and remediated within a timeframe based on their risk profile: critical vulnerabilities within 96 hours, high-risk within one month, medium-risk within three months, and low-risk within six months.

ISRG's network is multi-tiered and utilizes the principle of defense in depth. Firewalls and other critical CA systems are configured based on a necessary-traffic-only allowlisting policy whenever possible.

ISRG Root CA Private Keys are stored offline in a secure manner.

4 Likes

My1 April 18, 2026, 11:04pm 4

I've seen a post about those in here, not that much details though, not sure if the procedures are different between making and signing new roots vs just handling intermediates and CRLs.

I have been very intrigued how insanely specific the DNSSec root process was even up to the level that the proces is fully public including video footage.

I think you can find some of the documentation you're looking for under the WebTrust Audits section of their legal repository page, including some key generation reports. I don't think all the details are nearly as publicly visible as the DNSSEC ceremonies are, though.

4 Likes

Osiris April 19, 2026, 7:47am 6

Depends what you mean with "handling intermediates" and "handling CRLs".

The intermediates are continuously used to sign leaf certificates, so they are "online" all the time (if in use). But to sign an intermediate, the root is required and that one needs to be kept offline and requires a ceremony, also to make sure the new intermediates aren't tampered with.

With regard to CRLs: the end leaf CRLs are signed by the intermediates, so no issue there. The intermediate CRLs are signed by the root certs, but only once to maybe twice a year (maybe? I dunno TBH, CRL is valid for a year after signing, but maybe they update it earlier to mitigate the risk if something goes wrong), so that'll require the root to be "activated" so most likely would require some sort of ceremony perhaps? Not sure how "big" and how much risk of tampering there would be.

My1 April 19, 2026, 10:39am 7

Well handling intermediates and crls from the root are basically "just" signing operations and don't particularly affect the root key and therefore might just need a lower quorum than when setting up new root keys or a new hardware and potentially copying keys if needed. (eg in dnssec aside from the always needed people like the ceremony admin, safe people witnesses etc, normal signing needs 3 cardholders for the TPMs while an operation where they backed up the keys to a new tpm needed 5.

Osiris April 19, 2026, 1:19pm 8

Most likely, sure.