2015: Let’s Encrypt Root CA Initial Setup In 2015, Let’s Encrypt have three CA certificates: ISRG Root X1 Certificate Let’s Encrypt Intermediate X1 CA Certificate Let’s Encrypt Intermediate X2 CA Certificate Let’s Encrypt will issue certificates to subscribers from its intermediate CAs, allowing Let’s Encrypt to keep root CA safely offline. IdenTrust will cross-sign Let’s Encrypt intermediates. This allow our end certificates to be accepted by all major browsers while Let’s Encrypt propagate its own root.
CRL Introduction CRLs (Certificate Revoke List) are signed data structures that contain a list of revoked certificates. The integrity and authenticity of the CRL is provided by the digital signature appended to the CRL. The signer of the CRL is typically the same entity that signed the issued certificate. CRL is defined in RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile CRL File Format CRL encode in X509 format, CRL v2 structure as below:
OCSP Introduction The Online Certificate Status Protocol ( OCSP) is documented in the RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol. OCSP is a relatively simple request/response protocol useful in determining the current status of a digital certificate without requiring CRLs. OCSP encoded in ASN.1. OCSP Request An OCSP request contains the following data: protocol version (currently only Version 1 is defined). service request. one or more target certificate identifier.