AIA CA Issuers links and the ISRG X1 cross-sign from DST X3

With the upcoming ISRG X1 cross-sign for Android compatibility, I'm wondering what chain the certificates referenced in the CA Issuers link in the Authority Information Access section will point to.

Currently leaf certificates have a link to http://r3.i.lencr.org, which is the R3 intermediate issued off of the DST Root CA X3 certificate that's expiring in September.

Given that the plan is for the default chain to change, will that link point to the R3 signed by ISRG Root X1 instead? And will the AIA CA Issuers link in the ISRG Root X1 certificate point to the DST Root CA X3 certificate?

Would this change happen concurrently with the switchover to the new default chain for issuance?

4 Likes

Welcome Back to the Let's Encrypt Community, Joe :slightly_smiling_face:

@lestaff

What say you?

2 Likes

We intend for the contents served by that AIA URL to always reflect the version of the issuer certificate provided by our default chain. As such:

Yes, and yes.

4 Likes