aboutsummaryrefslogtreecommitdiffstats
path: root/certs
AgeCommit message (Collapse)AuthorFilesLines
2024-06-21certs: E1 / E5 -> ISRG Root X2Gravatar Christian Hesse3-243/+21
In the beginning of Let's Encrypt their root certificate ISRG Root X1 was not widely trusted, at least some older and/or mobile platforms were missing that certificate in their root certificate store. At that time Let's Encrypt was using an alternative chain of trust, where a certificate was cross-signed with DST Root CA X3. To make sure a valid chain of trust is available under all circumstances a set of all certificates had to be supplied: both root vertificates ISRG Root X1 & DST Root CA X3, and an intermediate certificate. This was still true after DST Root CA X3 expired, as it could still be used as a root anchor and was shipped by Let's Encrypt when requested. 🤪 This time is finally over, and we have a clean chain for trust ending in ISRG Root X1 (or ISRG Root X2). Well, actually it is the other way round... Let's Encrypt signs with different tantamount intermediate certificates. There is not only E5, but also E6 - and we can not know beforehand which one is used on renew. So let's jetzt drop the intermediate certificates now, and rely on root certificates only. We are perfectly fine with this these days. Follow-up commits will do the same for *all* certificates. The certificate is downloaded with: curl -d '["ISRG Root X2"]' https://mkcert.org/generate/ | grep -v '^$' > certs/ISRG-Root-X2.pem
2024-06-19Let's Encrypt changed their intermediate certificatesGravatar Christian Hesse2-0/+350
https://letsencrypt.org/2024/03/19/new-intermediate-certificates https://letsencrypt.org/certificates/ But let's keep the old ones around for now, as some sites are still using the old intermediate.
2024-05-14fw-addr-lists: add 'strongips' list from blocklist.dechange-128Gravatar Christian Hesse1-0/+176
2024-03-16global-functions: $CertificateDownload: download via clean name...Gravatar Christian Hesse8-0/+0
... and rename certificates in repository.
2024-01-09certs: add new DigiCert certificates...Gravatar Christian Hesse1-0/+182
... used by Cloudflare.
2023-12-22global-functions: $GetMacVendor: get new certificateGravatar Christian Hesse1-0/+238
The service now uses: GTS CA 1P5 -> GTS Root R1
2023-10-26global: switch eworm.de to new certificate chain (E1 / ISRG Root X2)Gravatar Christian Hesse1-119/+0
old chain: R3 / ISRG Root X1 new chain: E1 / ISRG Root X2 No user interaction or migration is required for existing installations as we install 'E1' and 'ISRG Root X2' for some time already.
2023-06-13certs: add Cloudflare certificates...Gravatar Christian Hesse1-0/+163
... for later use.
2023-06-13certs: add GlobalSign certificates...Gravatar Christian Hesse1-0/+177
... for later use.
2022-09-13global-functions: $GetMacVendor: switched to Let's Encrypt (R3)Gravatar Christian Hesse1-166/+0
So let's check for the correct one, and drop the other.
2021-09-21certs: drop old chain GTS CA 1O1 / GlobalSignGravatar Christian Hesse1-186/+0
2021-09-20certs: add new chain GTS CA 1C3 / GTS Root R1Gravatar Christian Hesse1-0/+242
This is used by Google DNS (8.8.8.8). $CertificateAvailable "GTS CA 1C3" /ip dns set use-doh-server=https://8.8.8.8/dns-query verify-doh-cert=yes
2021-09-20certs: drop old intermediate cert DigiCert ECC Secure Server CAGravatar Christian Hesse1-166/+0
2021-09-20certs: add new intermediate cert DigiCert TLS Hybrid ECC SHA384 2020 CA1Gravatar Christian Hesse1-0/+174
This is used by Cloudflare DNS (1.1.1.1) and Quard9 (9.9.9.9). $CertificateAvailable "DigiCert TLS Hybrid ECC SHA384 2020 CA1" /ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes $CertificateAvailable "DigiCert TLS Hybrid ECC SHA384 2020 CA1" /ip dns set use-doh-server=https://9.9.9.9/dns-query verify-doh-cert=yes
2021-05-18drop certificate DST Root CA X3Gravatar Christian Hesse1-77/+0
Let's Encrypt planned the transition to ISRG's root certificate ("ISRG Root X1") on July 8, 2019, but postponed several times. Finally they found another solution: A certificate 'ISRG Root X1', but cross-signed with 'DST Root CA X3' and with a livetime that exceeds that of the root CA. This is said to work for most operating system where root certificate authorities are just 'trust anchors'. I doubt this is true for RouterOS, where certificates are just imported into the certificate store. So let's migrate to 'ISRG Root X1' now.
2021-02-24global-functions: $GetMacVendor: requires certificate "Cloudflare Inc ECC ↵Gravatar Christian Hesse1-0/+166
CA-3" now
2020-12-30certs: add plain text info about certificatesGravatar Christian Hesse6-68/+1028
Also order certificates, so we have: * intermediate * root * alternative root, if any Let's add 'ISRG Root X1' for 'E1' as there will be a valid cross-signed chain 'E1' -> 'ISRG Root X2' -> 'ISRG Root X1'.
2020-12-18certs: remove Let's Encrypt Authority X3Gravatar Christian Hesse1-83/+0
2020-12-17certs: add new Let's Encrypt certificatesGravatar Christian Hesse2-0/+112
https://letsencrypt.org/certificates/
2020-06-10add certificate 'GTS CA 1O1'Gravatar Christian Hesse1-0/+47
This is used by DNS over HTTPS services: https://dns.google/dns-query
2020-03-20add certificate 'DigiCert ECC Secure Server CA'Gravatar Christian Hesse1-0/+44
This is used by DNS over HTTPS services: https://cloudflare-dns.com/dns-query https://dns9.quad9.net/dns-query (secured) https://dns10.quad9.net/dns-query (unsecured) https://github.com/curl/curl/wiki/DNS-over-HTTPS
2019-04-30global-functions: $CertificateAvailable: fetch by CommonNameGravatar Christian Hesse3-0/+0
Now that we have a proper $UrlEncode function... Fetch certificates by CommonName. Also remove the PEM after import.
2019-01-02update-tunnelbroker: verify certificateGravatar Christian Hesse1-0/+52
2018-12-20global-functions: make $CertificateAvailable work on CommonNameGravatar Christian Hesse4-136/+134
This should prevent endless certificate switching for Let's Encrypt cross-signed intermediate certificates.
2018-12-20README: add Root CA certificate DST Root CA X3Gravatar Christian Hesse1-0/+20
This is used by Let's Encrypt to cross-sign.
2018-10-16README: download certificates from repositoryGravatar Christian Hesse2-0/+64
2018-10-16global-functions: import certificates if requiredGravatar Christian Hesse2-0/+52
Signed-off-by: Christian Hesse <mail@eworm.de>