Age | Commit message (Expand) | Author | Files | Lines |
2024-06-21 | certs: R3 / R10 -> ISRG Root X1 | Christian Hesse | 3 | -468/+38 |
2024-06-21 | certs: E1 / E5 -> ISRG Root X2•••In the beginning of Let's Encrypt their root certificate ISRG Root X1
was not widely trusted, at least some older and/or mobile platforms were
missing that certificate in their root certificate store.
At that time Let's Encrypt was using an alternative chain of trust,
where a certificate was cross-signed with DST Root CA X3.
To make sure a valid chain of trust is available under all circumstances
a set of all certificates had to be supplied: both root vertificates
ISRG Root X1 & DST Root CA X3, and an intermediate certificate.
This was still true after DST Root CA X3 expired, as it could still be
used as a root anchor and was shipped by Let's Encrypt when requested. 🤪
This time is finally over, and we have a clean chain for trust ending in
ISRG Root X1 (or ISRG Root X2).
Well, actually it is the other way round... Let's Encrypt signs with
different tantamount intermediate certificates. There is not only E5, but
also E6 - and we can not know beforehand which one is used on renew.
So let's jetzt drop the intermediate certificates now, and rely on root
certificates only. We are perfectly fine with this these days.
Follow-up commits will do the same for *all* certificates.
The certificate is downloaded with:
curl -d '["ISRG Root X2"]' https://mkcert.org/generate/ | grep -v '^$' > certs/ISRG-Root-X2.pem
| Christian Hesse | 3 | -243/+21 |
2024-06-19 | Let's Encrypt changed their intermediate certificates•••https://letsencrypt.org/2024/03/19/new-intermediate-certificates
https://letsencrypt.org/certificates/
But let's keep the old ones around for now, as some sites are still
using the old intermediate.
| Christian Hesse | 2 | -0/+350 |
2024-05-14 | fw-addr-lists: add 'strongips' list from blocklist.dechange-128 | Christian Hesse | 1 | -0/+176 |
2024-03-16 | global-functions: $CertificateDownload: download via clean name...•••... and rename certificates in repository.
| Christian Hesse | 8 | -0/+0 |
2024-01-09 | certs: add new DigiCert certificates...•••... used by Cloudflare.
| Christian Hesse | 1 | -0/+182 |
2023-12-22 | global-functions: $GetMacVendor: get new certificate•••The service now uses: GTS CA 1P5 -> GTS Root R1
| Christian Hesse | 1 | -0/+238 |
2023-10-26 | global: switch eworm.de to new certificate chain (E1 / ISRG Root X2)•••old chain: R3 / ISRG Root X1
new chain: E1 / ISRG Root X2
No user interaction or migration is required for existing installations
as we install 'E1' and 'ISRG Root X2' for some time already.
| Christian Hesse | 1 | -119/+0 |
2023-06-13 | certs: add Cloudflare certificates...•••... for later use.
| Christian Hesse | 1 | -0/+163 |
2023-06-13 | certs: add GlobalSign certificates...•••... for later use.
| Christian Hesse | 1 | -0/+177 |
2022-09-13 | global-functions: $GetMacVendor: switched to Let's Encrypt (R3)•••So let's check for the correct one, and drop the other.
| Christian Hesse | 1 | -166/+0 |
2021-09-21 | certs: drop old chain GTS CA 1O1 / GlobalSign | Christian Hesse | 1 | -186/+0 |
2021-09-20 | certs: add new chain GTS CA 1C3 / GTS Root R1•••This is used by Google DNS (8.8.8.8).
$CertificateAvailable "GTS CA 1C3"
/ip dns set use-doh-server=https://8.8.8.8/dns-query verify-doh-cert=yes
| Christian Hesse | 1 | -0/+242 |
2021-09-20 | certs: drop old intermediate cert DigiCert ECC Secure Server CA | Christian Hesse | 1 | -166/+0 |
2021-09-20 | certs: add new intermediate cert DigiCert TLS Hybrid ECC SHA384 2020 CA1•••This is used by Cloudflare DNS (1.1.1.1) and Quard9 (9.9.9.9).
$CertificateAvailable "DigiCert TLS Hybrid ECC SHA384 2020 CA1"
/ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
$CertificateAvailable "DigiCert TLS Hybrid ECC SHA384 2020 CA1"
/ip dns set use-doh-server=https://9.9.9.9/dns-query verify-doh-cert=yes
| Christian Hesse | 1 | -0/+174 |
2021-05-18 | drop certificate DST Root CA X3•••Let's Encrypt planned the transition to ISRG's root certificate ("ISRG Root
X1") on July 8, 2019, but postponed several times.
Finally they found another solution: A certificate 'ISRG Root X1', but
cross-signed with 'DST Root CA X3' and with a livetime that exceeds that
of the root CA. This is said to work for most operating system where root
certificate authorities are just 'trust anchors'.
I doubt this is true for RouterOS, where certificates are just imported
into the certificate store. So let's migrate to 'ISRG Root X1' now.
| Christian Hesse | 1 | -77/+0 |
2021-02-24 | global-functions: $GetMacVendor: requires certificate "Cloudflare Inc ECC CA-... | Christian Hesse | 1 | -0/+166 |
2020-12-30 | certs: add plain text info about certificates•••Also order certificates, so we have:
* intermediate
* root
* alternative root, if any
Let's add 'ISRG Root X1' for 'E1' as there will be a valid cross-signed
chain 'E1' -> 'ISRG Root X2' -> 'ISRG Root X1'.
| Christian Hesse | 6 | -68/+1028 |
2020-12-18 | certs: remove Let's Encrypt Authority X3 | Christian Hesse | 1 | -83/+0 |
2020-12-17 | certs: add new Let's Encrypt certificates•••https://letsencrypt.org/certificates/
| Christian Hesse | 2 | -0/+112 |
2020-06-10 | add certificate 'GTS CA 1O1'•••This is used by DNS over HTTPS services:
https://dns.google/dns-query
| Christian Hesse | 1 | -0/+47 |
2020-03-20 | add certificate 'DigiCert ECC Secure Server CA'•••This is used by DNS over HTTPS services:
https://cloudflare-dns.com/dns-query
https://dns9.quad9.net/dns-query (secured)
https://dns10.quad9.net/dns-query (unsecured)
https://github.com/curl/curl/wiki/DNS-over-HTTPS
| Christian Hesse | 1 | -0/+44 |
2019-04-30 | global-functions: $CertificateAvailable: fetch by CommonName•••Now that we have a proper $UrlEncode function... Fetch certificates
by CommonName.
Also remove the PEM after import.
| Christian Hesse | 3 | -0/+0 |
2019-01-02 | update-tunnelbroker: verify certificate | Christian Hesse | 1 | -0/+52 |
2018-12-20 | global-functions: make $CertificateAvailable work on CommonName•••This should prevent endless certificate switching for Let's Encrypt
cross-signed intermediate certificates.
| Christian Hesse | 4 | -136/+134 |
2018-12-20 | README: add Root CA certificate DST Root CA X3•••This is used by Let's Encrypt to cross-sign.
| Christian Hesse | 1 | -0/+20 |
2018-10-16 | README: download certificates from repository | Christian Hesse | 2 | -0/+64 |
2018-10-16 | global-functions: import certificates if required•••Signed-off-by: Christian Hesse <mail@eworm.de>
| Christian Hesse | 2 | -0/+52 |