Let's Encrypt Root CA Cert

Overview / Explination

Since Let’s Encrypt’s own root certificate authority, ISRG Root X1, is still quite new and not commonly trusted. To get around this issue, Let’s Encrypt’s intermediate has be graciously cross-signed by IdentTrust’s root certificate authority DST Root CA X3, which is commonly trusted by clients.

What this means is that most certificates issued by Let’s Encrypt have an origin of trust from IdentTrust’s root CA.

Take for example the OpenChirp MQTT server. We can use openssl s_client to inspect the certificate presented to the user.

openssl s_client -connect mqtt.openchirp.io:8883
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mqtt.openchirp.io
verify return:1
Certificate chain
 0 s:/CN=mqtt.openchirp.io
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

The beginning of the output shows the root is CN = DST Root CA X3, which doesn’t look like Let’s Encrypt’s own ISRG Root X1.

So, if you need to present the root CA cert to some program (for verification), you need to present IdentTrust’s root CA cert. See the next section to learn how to grab a usable x509 PEM formatted cert.

Grab Cert and Convert

If we want to present the trusted root CA cert for a Let’s Encrypt issued certificate, we need to present the IdentTrust root CA cert. More specifically, we need to reference the TrustID X3 root cert. The only problem with this is that IdentTrust only offers their certificate in PKCS7 binary format (.p7b), which is unusable in a lot of reasonable applications. We need x509 PEM format.

The following instructions will show how to compose the x509 .pem file for the DST Root CA X3 cert.


At the time of writing this, the following wget line was capable of grabbing the TrustID X3 cert in p7b format. The next openssl would convert that .p7b file to an x509 .pem file for normal use.

wget https://www.identrust.com/node/935 -O trustidrootx3_chain.p7b
openssl pkcs7 -inform DER -in trustidrootx3_chain.p7b -print_certs -outform PEM -out trustidrootx3_chain.pem

You can then use the trustidrootx3_chain.pem as the CAfile parameter of client programs.

Fallback Instructions

If the above commands failed, you can download the PKCS7 binary file (.p7b) file from the IdentTrust download page bellow.

To convert that PKCS7 binary file to x509 PEM, use the following openssl command:

openssl pkcs7 -inform DER -in <THE_DOWNLOADED_P7B_CERT> -print_certs -outform PEM -out trustidrootx3_chain.pem

You can then use the trustidrootx3_chain.pem as the CAfile parameter of client programs.

Example Usage of x509 PEM

Mosquitto Client

mosquitto_sub -v -i monitor$RANDOM -h mqtt.openchirp.io -p 8883 --cafile ./trustidrootx3_chain.pem -u <USER> -p <TOKEN>


comments powered by Disqus