惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
博客园 - 三生石上(FineUI控件)
S
Securelist
U
Unit 42
The Cloudflare Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Simon Willison's Weblog
Simon Willison's Weblog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
B
Blog
T
Tenable Blog
The Hacker News
The Hacker News
The Register - Security
The Register - Security
IT之家
IT之家
博客园 - 【当耐特】
Spread Privacy
Spread Privacy
P
Privacy & Cybersecurity Law Blog
博客园_首页
T
Tailwind CSS Blog
人人都是产品经理
人人都是产品经理
C
Cybersecurity and Infrastructure Security Agency CISA
Know Your Adversary
Know Your Adversary
NISL@THU
NISL@THU
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
阮一峰的网络日志
阮一峰的网络日志
T
Tor Project blog
C
CERT Recently Published Vulnerability Notes
Apple Machine Learning Research
Apple Machine Learning Research
Stack Overflow Blog
Stack Overflow Blog
T
Threat Research - Cisco Blogs
T
The Exploit Database - CXSecurity.com
V
Vulnerabilities – Threatpost
A
Arctic Wolf
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
V
V2EX
aimingoo的专栏
aimingoo的专栏
大猫的无限游戏
大猫的无限游戏
Scott Helme
Scott Helme
L
LINUX DO - 热门话题
Cyberwarzone
Cyberwarzone
V
Visual Studio Blog
月光博客
月光博客
爱范儿
爱范儿
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
美团技术团队
G
GRAHAM CLULEY
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
H
Heimdal Security Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO

Let's Encrypt Community Support - Latest topics

New Certificate Fails with Unauthorized 403 Seeking Clarity and Consistency on Configuring HTTP-01 challenge for multiple domains Certifiate failing renewal Letsencrypt blocked in Iran Problem with http verification Cyber-attacks from the secondary verification source addresses Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: How will clients handle X2 by X1 cross certificate revocation HTTPS Certificate Renewal and Mixed Content Issues Affecting My Real-Time Morse Code Website Using Let’s Encrypt .conf Files and Nginx along with Certbot Forbidden by policy error generating the let’s encrypt certificate SSL Certificate installed for 1 of 2 domains Certificate apparently not working Certbot 5.6.0 Release Would signing the key authorization with the ACME private key increase security? Lego 5.0.0 Release Certificate renewal incomplete: missing domains beeandlunetrading.com We can’t renew your Let’s Encrypt certificate automatically until the issue is resolved Is using preferred-chain "ISRG Root X2" still a good idea? Crypt::LE --delayed not being honored Expressway certificate renewal error even after upgrading to the latest version Yocto Bitbake install of Certbot luadns fails with 'NoneType' object is not callable Intended audience for "tlsserver" profile Trouble finding Charter Communications as Web Hoster 2026.05.08 Gen Y Cross-Certified Subordinate CAs missing serverAuth EKU Certbot deploy-hook Obtaining account ID from xmox.nl email server SSL Certificate Expired - pwgroup.plabcapy.com More cultural recognition of HTTPS adoption Certificado certbot Upcoming Let’s Encrypt Profile Changes On May 13 Lets encrypt certificate issued website scam Issues getting certificates for .de zone Certbot-dns-multi for dns-lego fails with request for two domains Will tlssever profile switch to 45 days next week? Certbot script searching Expired certs shut done websites Automatic renewal across multiple systems serving the same domain Account paused – Request to unpause domain exodus.digitalmansa.com Certificate for web theft phucnha.com DNS-PERSIST without spending an Order Certificate Expired, now I can't create a new one Account paused Invalid unpause URL I need to revoke a cert, how do i do this Recommended Certbot Config for 2 certs with same FQDN with different acme servers The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot Cannot load certificate "/etc/letsencrypt/live/laurexplore.fr/fullchain.pem" A small static ACME server to distribute certs Certferry - easy distribution of wildcard LE certificates Permission errors on Let's ENcrypt certificate requests.exceptions.ConnectionError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer')) The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot LetsEncrypt Consultation SSL/TLS certificate Issue ISRG may have received a National Security Letter or FISA Court Order? Deactivating pending authorization Perhaps this domain is at risk group and is blacklisted on the Let's Encrypt side Certificate renewal error Azuracast letsencrypt error Certbot change provider from Sectigo to CertiNext Privacy policy still mentions disabled services Letsencrypt[.]top is squatting on the LE name and acting as a web client Cert renews not working anymore DNS Challenge failed incorrect TXT value FreeCert: a lightweight ACME management module for shared hosting and cPanel Certbot is rejecting its own specified _acme-challenge value Not able to renew certificates Issue of SSL Certificate fails Today instantly SSL certificate problems CNAME and CAA clarification Issue an SSL certificate Wacs Domain cert generation - test successful but real fails 400 Posh-acme db_error submitting renewal Safari won't trust Let's Encrypt certs Does Certbot support CNAME challenge? How does CNAME validation work vs DNS-01? Win-Acme Renewal Failing Suddenly with DNS-01 (Dreamhost) My certicate is obsokete Certbot failed to authenticate some domains Possible deliberate publicly admitted violation of subscriber policy by Tom Murphy VII in the form of HTTPV ARI renewal-info Rate Limit Changes? Missing accounturi field in LE dns-persist-01 challenges Problem obtaining a certificate One cert failing to renew - don't know why Dns-persist-01 deployment status and timeline Issue (apparently) after upgrading certbot/ubuntu [nginx] IPv4 OK, IPv6 NOK Expressway ACME Certificate Renewal failing Certbot nginx challenge times out Certbot 5.5.0 Release Error unmarshaling request Try t Self-Host BitWarden - Having Issues Getting a Cert Various problems with three domains cme_registration.reg: Creating... ╷ │ Error: acme: error: 403 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:unauthorized :: An account with the provided public key exists but is deactivated Iran's internet outage and challenges for renewing letsencrypt certs Running multiple Certbot renewals in parallel — how to bypass the global lock file? Nginx ipv64.net Fritzbox Dietpi DNS-PERSIST-01 and _validation-persist CNAME Just a small certbot script check An easy way to publish dns-persist-01 records Problem finding dns-persist-01 in staging GoDaddy API access policy update
Root Cert Protection and Signing Process for e.g. Intermediates or Cross-Signs of new Roots
@Osiris · 2026-04-19 · via Let's Encrypt Community Support - Latest topics

April 18, 2026, 8:59pm 1

kinda curious, how exactly are the Root certs handled, is that something the public is allowed to know?

while I assume that it is not QUITE as extreme as the DNSSec Root keys I would assume there is a similar idea, fully offline multiple people who have to be together to unlock different levels of access which are all needed to in the end get to however the root cert is protected right?

for reference, the DNSSec Process:
https://www.cloudflare.com/learning/dns/dnssec/root-signing-ceremony/

Osiris April 18, 2026, 9:05pm 2

Something like that as far as I know indeed. So called "root signing ceremonies". Look it up, there's probably info about it out there related to the web PKI too.

1 Like

The legal requirements that all public certificate authorities have agreed on - Let's Encrypt included - are documented in the Baseline Requirements from the CA/Browser Forum. Some excerpts:

6.1.1.1 CA Key Pair Generation
the CA SHALL:

  1. prepare and follow a Key Generation Script,
  2. have a Qualified Auditor witness the CA Key Pair generation process or record a video of the
    entire CA Key Pair generation process, and
  3. have a Qualified Auditor issue a report opining that the CA followed its key ceremony during
    its Key and Certificate generation process and the controls used to ensure the integrity and
    confidentiality of the Key Pair.

In all cases, the CA SHALL:

  1. generate the CA Key Pair in a physically secured environment as described in the CA’s
    Certificate Policy and/or Certification Practice Statement;
  2. generate the CA Key Pair using personnel in Trusted Roles under the principles of multiple
    person control and split knowledge;
  3. generate the CA Key Pair within cryptographic modules meeting the applicable technical and
    business requirements as disclosed in the CA’s Certificate Policy and/or Certification Practice
    Statement;
  4. log its CA Key Pair generation activities; and
  5. maintain effective controls to provide reasonable assurance that the Private Key was
    generated and protected in conformance with the procedures described in its Certificate
    Policy and/or Certification Practice Statement and (if applicable) its Key Generation Script.

4.3.1.1 Manual authorization of certificate issuance for Root CAs
Certificate issuance by the Root CA SHALL require an individual authorized by the CA (i.e. the CA
system operator, system officer, or PKI administrator) to deliberately issue a direct command in
order for the Root CA to perform a certificate signing operation.

Effectively, this boils down to a) having auditors present when you do critical things, b) storing your key securely, c) having access controls (multi-person, security etc) in place. This involves putting them on a Hardware Security Module, and additionally you may want to keep them offline when they're not needed. Precise details are not usually public.

As stated in the BRs, a CA must describe their practices in their Certification Practice Statement. As such, you will find some further information there. Quoting from Let's Encrypts CPS:

5.2.2 Number of persons required per task
A number of tasks, such as key generation and entering areas physically containing operating ISRG PKI systems, require at least two people in Trusted Roles to be present.

6.7 Network security controls

ISRG implements reasonable network security safeguards and controls to prevent unauthorized access to CA systems and infrastructure. ISRG complies with the CA/Browser Forum's Network and Certificate System Security Requirements. Identified vulnerabilities are responded to within 96 hours of review, and remediated within a timeframe based on their risk profile: critical vulnerabilities within 96 hours, high-risk within one month, medium-risk within three months, and low-risk within six months.

ISRG's network is multi-tiered and utilizes the principle of defense in depth. Firewalls and other critical CA systems are configured based on a necessary-traffic-only allowlisting policy whenever possible.

ISRG Root CA Private Keys are stored offline in a secure manner.

4 Likes

My1 April 18, 2026, 11:04pm 4

I've seen a post about those in here, not that much details though, not sure if the procedures are different between making and signing new roots vs just handling intermediates and CRLs.

I have been very intrigued how insanely specific the DNSSec root process was even up to the level that the proces is fully public including video footage.

I think you can find some of the documentation you're looking for under the WebTrust Audits section of their legal repository page, including some key generation reports. I don't think all the details are nearly as publicly visible as the DNSSEC ceremonies are, though.

4 Likes

Osiris April 19, 2026, 7:47am 6

Depends what you mean with "handling intermediates" and "handling CRLs".

The intermediates are continuously used to sign leaf certificates, so they are "online" all the time (if in use). But to sign an intermediate, the root is required and that one needs to be kept offline and requires a ceremony, also to make sure the new intermediates aren't tampered with.

With regard to CRLs: the end leaf CRLs are signed by the intermediates, so no issue there. The intermediate CRLs are signed by the root certs, but only once to maybe twice a year (maybe? I dunno TBH, CRL is valid for a year after signing, but maybe they update it earlier to mitigate the risk if something goes wrong), so that'll require the root to be "activated" so most likely would require some sort of ceremony perhaps? Not sure how "big" and how much risk of tampering there would be.

My1 April 19, 2026, 10:39am 7

Well handling intermediates and crls from the root are basically "just" signing operations and don't particularly affect the root key and therefore might just need a lower quorum than when setting up new root keys or a new hardware and potentially copying keys if needed. (eg in dnssec aside from the always needed people like the ceremony admin, safe people witnesses etc, normal signing needs 3 cardholders for the TPMs while an operation where they backed up the keys to a new tpm needed 5.

Osiris April 19, 2026, 1:19pm 8

Most likely, sure.