> Yes. To make things even more complex, a few sites also have an > older version of R3 that is directly signed by the DST root: > > - leaf <- R3 <- DST Root CA X3 (self-signed) > > but that's far from common at this point.
That old R3 root was issued last winter and got installed in Windows Server 2018 intermediate stores then, and was still being sent out on 29th and 30th, despite expiring on 29th. Perhaps because IIS caches server certificates. I had to delete it from the Windows store and reboot the server to stop it being sent out by IIS. Angus
