Hi Cory,
thank you for this info. It makes perfect sense.
Am 27.10.2015 um 21:37 schrieb Cory (NQ1E):
The oldest of the three LotW root CAs hasn't been in-use for several years and can be discarded. I think I heard that they lost the private key for it, or something silly like that.
Bad things happen ...
The second one is their SHA1 root CA cert that they've been using up until this year, but should be kept around for a while because some people still have call sign certs in that chain. Since call sign certs are only signed for two years, you can discard that root CA too once the existing call sign certs expire.
I guess this is the cert with serial 0xe7b27ba978517c65 as Heikki has shown. So it looks like it still also is the current active cert that the OpenVPN ist tested against.
The lastest LotW root CA was created this year using modern crypto tech. It was necessary because it's expected that SHA1 will be broken within a few year, so everyone's in a hurry to move away from it.
Ok, and this is the cert of the CA that was used to sign my certificate.
I guess this is my problem, no?
Roland