From 2465ac0514f79263d19c9bc4d3c4dba1cedaeba7 Mon Sep 17 00:00:00 2001 From: Tim Theisen Date: Wed, 19 Jan 2022 09:09:29 -0600 Subject: [PATCH 1/3] SOFTWARE-4965: Completely removed expired Let's Encrypt ROOT CA X3 --- Makefile | 16 +--------------- letsencryptauthorityx3.signing_policy | 3 --- 2 files changed, 1 insertion(+), 18 deletions(-) delete mode 100644 letsencryptauthorityx3.signing_policy diff --git a/Makefile b/Makefile index c3fcc92..2bd429d 100644 --- a/Makefile +++ b/Makefile @@ -1,21 +1,18 @@ sources = isrgrootx1.signing_policy \ - letsencryptauthorityx3.signing_policy \ letsencryptauthorityx4.signing_policy \ lets-encrypt-r3.signing_policy \ lets-encrypt-r4.signing_policy \ targets = 23c2f850.signing_policy 4042bcee.signing_policy \ - 4a0a35c0.signing_policy 4f06f81d.signing_policy \ 6187b673.signing_policy 929e297e.signing_policy \ 8d33f237.signing_policy dec71a0b.signing_policy \ 9f194ecd.signing_policy dd7d39a7.signing_policy \ 23c2f850.0 4042bcee.0 \ - 4a0a35c0.0 4f06f81d.0 \ 6187b673.0 8d33f237.0 \ 929e297e.0 9f194ecd.0 \ dec71a0b.0 dd7d39a7.0 \ isrgrootx1.pem \ - letsencryptauthorityx3.pem letsencryptauthorityx4.pem \ + letsencryptauthorityx4.pem \ lets-encrypt-r3.pem lets-encrypt-r4.pem installfiles = $(targets) $(sources) @@ -35,17 +32,12 @@ clean : $(RM) $(targets) *.pem check : all - openssl verify -CApath . letsencryptauthorityx3.pem openssl verify -CApath . letsencryptauthorityx4.pem 23c2f850.signing_policy : letsencryptauthorityx4.signing_policy $(LINK) letsencryptauthorityx4.signing_policy 23c2f850.signing_policy 4042bcee.signing_policy : isrgrootx1.signing_policy $(LINK) isrgrootx1.signing_policy 4042bcee.signing_policy -4a0a35c0.signing_policy : letsencryptauthorityx3.signing_policy - $(LINK) letsencryptauthorityx3.signing_policy 4a0a35c0.signing_policy -4f06f81d.signing_policy : letsencryptauthorityx3.signing_policy - $(LINK) letsencryptauthorityx3.signing_policy 4f06f81d.signing_policy 6187b673.signing_policy : isrgrootx1.signing_policy $(LINK) isrgrootx1.signing_policy 6187b673.signing_policy 8d33f237.signing_policy : lets-encrypt-r3.signing_policy @@ -63,10 +55,6 @@ dd7d39a7.signing_policy : lets-encrypt-r4.signing_policy $(LINK) letsencryptauthorityx4.pem 23c2f850.0 4042bcee.0 : isrgrootx1.pem $(LINK) isrgrootx1.pem 4042bcee.0 -4a0a35c0.0 : letsencryptauthorityx3.pem - $(LINK) letsencryptauthorityx3.pem 4a0a35c0.0 -4f06f81d.0 : letsencryptauthorityx3.pem - $(LINK) letsencryptauthorityx3.pem 4f06f81d.0 6187b673.0 : isrgrootx1.pem $(LINK) isrgrootx1.pem 6187b673.0 8d33f237.0 : lets-encrypt-r3.pem @@ -86,7 +74,5 @@ lets-encrypt-r3.pem : $(GET) https://letsencrypt.org/certs/lets-encrypt-r3.pem lets-encrypt-r4.pem : $(GET) https://letsencrypt.org/certs/lets-encrypt-r4.pem -letsencryptauthorityx3.pem : - $(GET) https://letsencrypt.org/certs/letsencryptauthorityx3.pem letsencryptauthorityx4.pem : $(GET) https://letsencrypt.org/certs/letsencryptauthorityx4.pem diff --git a/letsencryptauthorityx3.signing_policy b/letsencryptauthorityx3.signing_policy deleted file mode 100644 index b75ab84..0000000 --- a/letsencryptauthorityx3.signing_policy +++ /dev/null @@ -1,3 +0,0 @@ -access_id_CA X509 '/C=US/O=Let\'s Encrypt/CN=Let\'s Encrypt Authority X3' -pos_rights globus CA:sign -cond_subjects globus '"/CN=*"' From d33dc60ae6a6920d275b897828351b716d846c78 Mon Sep 17 00:00:00 2001 From: Tim Theisen Date: Wed, 19 Jan 2022 09:39:08 -0600 Subject: [PATCH 2/3] SOFTWARE-4965: Missed on X3 reference --- isrgrootx1.signing_policy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/isrgrootx1.signing_policy b/isrgrootx1.signing_policy index 2484859..072f1a3 100644 --- a/isrgrootx1.signing_policy +++ b/isrgrootx1.signing_policy @@ -1,3 +1,3 @@ access_id_CA X509 '/C=US/O=Internet Security Research Group/CN=ISRG Root X1' pos_rights globus CA:sign -cond_subjects globus '"/C=US/O=Let\'s Encrypt/CN=Let\'s Encrypt Authority X3" "/C=US/O=Let\'s Encrypt/CN=Let\'s Encrypt Authority X4" "/C=US/O=Let\'s Encrypt/CN=R3" "/C=US/O=Let\'s Encrypt/CN=R4"' +cond_subjects globus '"/C=US/O=Let\'s Encrypt/CN=Let\'s Encrypt Authority X4" "/C=US/O=Let\'s Encrypt/CN=R3" "/C=US/O=Let\'s Encrypt/CN=R4"' From ecba1d6048c4d85ba60ef0287f14ee7334017a23 Mon Sep 17 00:00:00 2001 From: Tim Theisen Date: Wed, 19 Jan 2022 20:01:51 -0600 Subject: [PATCH 3/3] SOFTWARE-4965: Remove expired Let's Encrypt ROOT CA X4 --- Makefile | 24 +++++++----------------- isrgrootx1.signing_policy | 2 +- letsencryptauthorityx4.signing_policy | 3 --- 3 files changed, 8 insertions(+), 21 deletions(-) delete mode 100644 letsencryptauthorityx4.signing_policy diff --git a/Makefile b/Makefile index 2bd429d..a4f67d8 100644 --- a/Makefile +++ b/Makefile @@ -1,18 +1,16 @@ sources = isrgrootx1.signing_policy \ - letsencryptauthorityx4.signing_policy \ lets-encrypt-r3.signing_policy \ lets-encrypt-r4.signing_policy \ -targets = 23c2f850.signing_policy 4042bcee.signing_policy \ - 6187b673.signing_policy 929e297e.signing_policy \ +targets = 4042bcee.signing_policy \ + 6187b673.signing_policy \ 8d33f237.signing_policy dec71a0b.signing_policy \ 9f194ecd.signing_policy dd7d39a7.signing_policy \ - 23c2f850.0 4042bcee.0 \ + 4042bcee.0 \ 6187b673.0 8d33f237.0 \ - 929e297e.0 9f194ecd.0 \ + 9f194ecd.0 \ dec71a0b.0 dd7d39a7.0 \ isrgrootx1.pem \ - letsencryptauthorityx4.pem \ lets-encrypt-r3.pem lets-encrypt-r4.pem installfiles = $(targets) $(sources) @@ -32,18 +30,16 @@ clean : $(RM) $(targets) *.pem check : all - openssl verify -CApath . letsencryptauthorityx4.pem + openssl verify -CApath . isrgrootx1.pem + openssl verify -CApath . lets-encrypt-r3.pem + openssl verify -CApath . lets-encrypt-r4.pem -23c2f850.signing_policy : letsencryptauthorityx4.signing_policy - $(LINK) letsencryptauthorityx4.signing_policy 23c2f850.signing_policy 4042bcee.signing_policy : isrgrootx1.signing_policy $(LINK) isrgrootx1.signing_policy 4042bcee.signing_policy 6187b673.signing_policy : isrgrootx1.signing_policy $(LINK) isrgrootx1.signing_policy 6187b673.signing_policy 8d33f237.signing_policy : lets-encrypt-r3.signing_policy $(LINK) lets-encrypt-r3.signing_policy 8d33f237.signing_policy -929e297e.signing_policy : letsencryptauthorityx4.signing_policy - $(LINK) letsencryptauthorityx4.signing_policy 929e297e.signing_policy 9f194ecd.signing_policy : lets-encrypt-r4.signing_policy $(LINK) lets-encrypt-r4.signing_policy 9f194ecd.signing_policy dec71a0b.signing_policy : lets-encrypt-r3.signing_policy @@ -51,16 +47,12 @@ dec71a0b.signing_policy : lets-encrypt-r3.signing_policy dd7d39a7.signing_policy : lets-encrypt-r4.signing_policy $(LINK) lets-encrypt-r4.signing_policy dd7d39a7.signing_policy -23c2f850.0 : letsencryptauthorityx4.pem - $(LINK) letsencryptauthorityx4.pem 23c2f850.0 4042bcee.0 : isrgrootx1.pem $(LINK) isrgrootx1.pem 4042bcee.0 6187b673.0 : isrgrootx1.pem $(LINK) isrgrootx1.pem 6187b673.0 8d33f237.0 : lets-encrypt-r3.pem $(LINK) lets-encrypt-r3.pem 8d33f237.0 -929e297e.0 : letsencryptauthorityx4.pem - $(LINK) letsencryptauthorityx4.pem 929e297e.0 9f194ecd.0 : lets-encrypt-r4.pem $(LINK) lets-encrypt-r4.pem 9f194ecd.0 dec71a0b.0 : lets-encrypt-r3.pem @@ -74,5 +66,3 @@ lets-encrypt-r3.pem : $(GET) https://letsencrypt.org/certs/lets-encrypt-r3.pem lets-encrypt-r4.pem : $(GET) https://letsencrypt.org/certs/lets-encrypt-r4.pem -letsencryptauthorityx4.pem : - $(GET) https://letsencrypt.org/certs/letsencryptauthorityx4.pem diff --git a/isrgrootx1.signing_policy b/isrgrootx1.signing_policy index 072f1a3..6d01eee 100644 --- a/isrgrootx1.signing_policy +++ b/isrgrootx1.signing_policy @@ -1,3 +1,3 @@ access_id_CA X509 '/C=US/O=Internet Security Research Group/CN=ISRG Root X1' pos_rights globus CA:sign -cond_subjects globus '"/C=US/O=Let\'s Encrypt/CN=Let\'s Encrypt Authority X4" "/C=US/O=Let\'s Encrypt/CN=R3" "/C=US/O=Let\'s Encrypt/CN=R4"' +cond_subjects globus '"/C=US/O=Let\'s Encrypt/CN=R3" "/C=US/O=Let\'s Encrypt/CN=R4"' diff --git a/letsencryptauthorityx4.signing_policy b/letsencryptauthorityx4.signing_policy deleted file mode 100644 index b46c12e..0000000 --- a/letsencryptauthorityx4.signing_policy +++ /dev/null @@ -1,3 +0,0 @@ -access_id_CA X509 '/C=US/O=Let\'s Encrypt/CN=Let\'s Encrypt Authority X4' -pos_rights globus CA:sign -cond_subjects globus '"/CN=*"'