On Jun 15, 2016, at 9:38 AM, Warren Young <wyml at etr-usa.com> wrote: > > On Jun 15, 2016, at 9:02 AM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote: > >> I do not see neither starttls.com nor letsencrypt.org between Authorities >> certificates. > > That’s because they are not top-tier CAs. I forgot to mention that letsencrypt.com uses one of its own certificates. You can use your browser’s certificate detail view to see the chain of trust. I see two levels here: IdenTrust -> TrustID -> Let’s Encrypt. As for starttls.com, that doesn’t exist; you’re probably confusing it with the SMTP STARTTLS protocol extension. What you mean is startssl.com, which is the main public face of StartCom. StartCom is a top-tier CA.