惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

月光博客
月光博客
Cyberwarzone
Cyberwarzone
L
LINUX DO - 最新话题
N
News and Events Feed by Topic
T
Troy Hunt's Blog
Help Net Security
Help Net Security
S
Security @ Cisco Blogs
Google DeepMind News
Google DeepMind News
Security Archives - TechRepublic
Security Archives - TechRepublic
M
MIT News - Artificial intelligence
G
Google Developers Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
V2EX - 技术
V2EX - 技术
Y
Y Combinator Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
大猫的无限游戏
大猫的无限游戏
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Microsoft Security Blog
Microsoft Security Blog
Cisco Talos Blog
Cisco Talos Blog
T
Threatpost
Recent Commits to openclaw:main
Recent Commits to openclaw:main
S
SegmentFault 最新的问题
I
InfoQ
H
Hacker News: Front Page
D
Docker
Scott Helme
Scott Helme
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Blog — PlanetScale
Blog — PlanetScale
人人都是产品经理
人人都是产品经理
博客园 - 叶小钗
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
N
Netflix TechBlog - Medium
AWS News Blog
AWS News Blog
Know Your Adversary
Know Your Adversary
博客园 - 【当耐特】
T
Tor Project blog
U
Unit 42
H
Heimdal Security Blog
Microsoft Azure Blog
Microsoft Azure Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
P
Privacy & Cybersecurity Law Blog
PCI Perspectives
PCI Perspectives
美团技术团队
O
OpenAI News
T
Tailwind CSS Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
B
Blog
GbyAI
GbyAI
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
MyScale Blog
MyScale Blog

Let's Encrypt Community Support - Latest topics

New Certificate Fails with Unauthorized 403 Seeking Clarity and Consistency on Configuring HTTP-01 challenge for multiple domains Certifiate failing renewal Letsencrypt blocked in Iran Problem with http verification Cyber-attacks from the secondary verification source addresses Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: How will clients handle X2 by X1 cross certificate revocation HTTPS Certificate Renewal and Mixed Content Issues Affecting My Real-Time Morse Code Website Using Let’s Encrypt .conf Files and Nginx along with Certbot Forbidden by policy error generating the let’s encrypt certificate SSL Certificate installed for 1 of 2 domains Certificate apparently not working Certbot 5.6.0 Release Would signing the key authorization with the ACME private key increase security? Lego 5.0.0 Release Certificate renewal incomplete: missing domains beeandlunetrading.com We can’t renew your Let’s Encrypt certificate automatically until the issue is resolved Is using preferred-chain "ISRG Root X2" still a good idea? Crypt::LE --delayed not being honored Expressway certificate renewal error even after upgrading to the latest version Yocto Bitbake install of Certbot luadns fails with 'NoneType' object is not callable Intended audience for "tlsserver" profile Trouble finding Charter Communications as Web Hoster 2026.05.08 Gen Y Cross-Certified Subordinate CAs missing serverAuth EKU Certbot deploy-hook Obtaining account ID from xmox.nl email server SSL Certificate Expired - pwgroup.plabcapy.com More cultural recognition of HTTPS adoption Certificado certbot Upcoming Let’s Encrypt Profile Changes On May 13 Lets encrypt certificate issued website scam Issues getting certificates for .de zone Certbot-dns-multi for dns-lego fails with request for two domains Will tlssever profile switch to 45 days next week? Certbot script searching Expired certs shut done websites Automatic renewal across multiple systems serving the same domain Account paused – Request to unpause domain exodus.digitalmansa.com Certificate for web theft phucnha.com DNS-PERSIST without spending an Order Certificate Expired, now I can't create a new one Account paused Invalid unpause URL I need to revoke a cert, how do i do this Recommended Certbot Config for 2 certs with same FQDN with different acme servers The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot Cannot load certificate "/etc/letsencrypt/live/laurexplore.fr/fullchain.pem" A small static ACME server to distribute certs Certferry - easy distribution of wildcard LE certificates Permission errors on Let's ENcrypt certificate requests.exceptions.ConnectionError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer')) The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot LetsEncrypt Consultation SSL/TLS certificate Issue ISRG may have received a National Security Letter or FISA Court Order? Deactivating pending authorization Perhaps this domain is at risk group and is blacklisted on the Let's Encrypt side Certificate renewal error Azuracast letsencrypt error Certbot change provider from Sectigo to CertiNext Privacy policy still mentions disabled services Letsencrypt[.]top is squatting on the LE name and acting as a web client Cert renews not working anymore DNS Challenge failed incorrect TXT value FreeCert: a lightweight ACME management module for shared hosting and cPanel Certbot is rejecting its own specified _acme-challenge value Not able to renew certificates Issue of SSL Certificate fails Today instantly SSL certificate problems CNAME and CAA clarification Issue an SSL certificate Wacs Domain cert generation - test successful but real fails 400 Posh-acme db_error submitting renewal Safari won't trust Let's Encrypt certs Does Certbot support CNAME challenge? How does CNAME validation work vs DNS-01? Win-Acme Renewal Failing Suddenly with DNS-01 (Dreamhost) My certicate is obsokete Certbot failed to authenticate some domains Possible deliberate publicly admitted violation of subscriber policy by Tom Murphy VII in the form of HTTPV ARI renewal-info Rate Limit Changes? Missing accounturi field in LE dns-persist-01 challenges Problem obtaining a certificate One cert failing to renew - don't know why Dns-persist-01 deployment status and timeline Issue (apparently) after upgrading certbot/ubuntu [nginx] IPv4 OK, IPv6 NOK Expressway ACME Certificate Renewal failing Certbot nginx challenge times out Certbot 5.5.0 Release Error unmarshaling request Try t Self-Host BitWarden - Having Issues Getting a Cert Various problems with three domains cme_registration.reg: Creating... ╷ │ Error: acme: error: 403 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:unauthorized :: An account with the provided public key exists but is deactivated Iran's internet outage and challenges for renewing letsencrypt certs Running multiple Certbot renewals in parallel — how to bypass the global lock file? Nginx ipv64.net Fritzbox Dietpi DNS-PERSIST-01 and _validation-persist CNAME Just a small certbot script check An easy way to publish dns-persist-01 records Problem finding dns-persist-01 in staging GoDaddy API access policy update
Root Cert Protection and Signing Process for e.g. Intermediates or Cross-Signs of new Roots
@Osiris · 2026-04-19 · via Let's Encrypt Community Support - Latest topics

April 18, 2026, 8:59pm 1

kinda curious, how exactly are the Root certs handled, is that something the public is allowed to know?

while I assume that it is not QUITE as extreme as the DNSSec Root keys I would assume there is a similar idea, fully offline multiple people who have to be together to unlock different levels of access which are all needed to in the end get to however the root cert is protected right?

for reference, the DNSSec Process:
https://www.cloudflare.com/learning/dns/dnssec/root-signing-ceremony/

Osiris April 18, 2026, 9:05pm 2

Something like that as far as I know indeed. So called "root signing ceremonies". Look it up, there's probably info about it out there related to the web PKI too.

1 Like

The legal requirements that all public certificate authorities have agreed on - Let's Encrypt included - are documented in the Baseline Requirements from the CA/Browser Forum. Some excerpts:

6.1.1.1 CA Key Pair Generation
the CA SHALL:

  1. prepare and follow a Key Generation Script,
  2. have a Qualified Auditor witness the CA Key Pair generation process or record a video of the
    entire CA Key Pair generation process, and
  3. have a Qualified Auditor issue a report opining that the CA followed its key ceremony during
    its Key and Certificate generation process and the controls used to ensure the integrity and
    confidentiality of the Key Pair.

In all cases, the CA SHALL:

  1. generate the CA Key Pair in a physically secured environment as described in the CA’s
    Certificate Policy and/or Certification Practice Statement;
  2. generate the CA Key Pair using personnel in Trusted Roles under the principles of multiple
    person control and split knowledge;
  3. generate the CA Key Pair within cryptographic modules meeting the applicable technical and
    business requirements as disclosed in the CA’s Certificate Policy and/or Certification Practice
    Statement;
  4. log its CA Key Pair generation activities; and
  5. maintain effective controls to provide reasonable assurance that the Private Key was
    generated and protected in conformance with the procedures described in its Certificate
    Policy and/or Certification Practice Statement and (if applicable) its Key Generation Script.

4.3.1.1 Manual authorization of certificate issuance for Root CAs
Certificate issuance by the Root CA SHALL require an individual authorized by the CA (i.e. the CA
system operator, system officer, or PKI administrator) to deliberately issue a direct command in
order for the Root CA to perform a certificate signing operation.

Effectively, this boils down to a) having auditors present when you do critical things, b) storing your key securely, c) having access controls (multi-person, security etc) in place. This involves putting them on a Hardware Security Module, and additionally you may want to keep them offline when they're not needed. Precise details are not usually public.

As stated in the BRs, a CA must describe their practices in their Certification Practice Statement. As such, you will find some further information there. Quoting from Let's Encrypts CPS:

5.2.2 Number of persons required per task
A number of tasks, such as key generation and entering areas physically containing operating ISRG PKI systems, require at least two people in Trusted Roles to be present.

6.7 Network security controls

ISRG implements reasonable network security safeguards and controls to prevent unauthorized access to CA systems and infrastructure. ISRG complies with the CA/Browser Forum's Network and Certificate System Security Requirements. Identified vulnerabilities are responded to within 96 hours of review, and remediated within a timeframe based on their risk profile: critical vulnerabilities within 96 hours, high-risk within one month, medium-risk within three months, and low-risk within six months.

ISRG's network is multi-tiered and utilizes the principle of defense in depth. Firewalls and other critical CA systems are configured based on a necessary-traffic-only allowlisting policy whenever possible.

ISRG Root CA Private Keys are stored offline in a secure manner.

4 Likes

My1 April 18, 2026, 11:04pm 4

I've seen a post about those in here, not that much details though, not sure if the procedures are different between making and signing new roots vs just handling intermediates and CRLs.

I have been very intrigued how insanely specific the DNSSec root process was even up to the level that the proces is fully public including video footage.

I think you can find some of the documentation you're looking for under the WebTrust Audits section of their legal repository page, including some key generation reports. I don't think all the details are nearly as publicly visible as the DNSSEC ceremonies are, though.

4 Likes

Osiris April 19, 2026, 7:47am 6

Depends what you mean with "handling intermediates" and "handling CRLs".

The intermediates are continuously used to sign leaf certificates, so they are "online" all the time (if in use). But to sign an intermediate, the root is required and that one needs to be kept offline and requires a ceremony, also to make sure the new intermediates aren't tampered with.

With regard to CRLs: the end leaf CRLs are signed by the intermediates, so no issue there. The intermediate CRLs are signed by the root certs, but only once to maybe twice a year (maybe? I dunno TBH, CRL is valid for a year after signing, but maybe they update it earlier to mitigate the risk if something goes wrong), so that'll require the root to be "activated" so most likely would require some sort of ceremony perhaps? Not sure how "big" and how much risk of tampering there would be.

My1 April 19, 2026, 10:39am 7

Well handling intermediates and crls from the root are basically "just" signing operations and don't particularly affect the root key and therefore might just need a lower quorum than when setting up new root keys or a new hardware and potentially copying keys if needed. (eg in dnssec aside from the always needed people like the ceremony admin, safe people witnesses etc, normal signing needs 3 cardholders for the TPMs while an operation where they backed up the keys to a new tpm needed 5.

Osiris April 19, 2026, 1:19pm 8

Most likely, sure.