21 Sep
2021
21 Sep
'21
11:54 a.m.
On Tue, 21 Sep 2021, at 9:33 AM, Lawrence D'Oliveiro wrote:
Ah, I see why the discrepancy: my server’s cert actually includes two levels of CA: the topmost one matches what’s in Firefox, while the other one (“R3”) is the next level down.
This is common for most (all?) CAs. If there is ever an issue with the security of the issuing certificate (e.g. the private key is compromised) then they can revoke the CA's issuer certificate without affecting their root certificate. You can bet the private keys of the root certificates are very secure (e.g. 100% offline). This article from LE explains it well https://letsencrypt.org/certificates/ -- Simon