Deploying Let's Encrypt's New Issuance Chains

On Thursday, June 6th, 2024 , we will be switching issuance to use our new intermediate certificates. Simultaneously, we are removing the DST Root CA X3 cross-sign from our API, aligning with our strategy to shorten the Let’s Encrypt chain of trust. We will begin issuing ECDSA end-entity certificates from a default chain that just contains a single ECDSA intermediate, removing a second intermediate and the option to issue an ECDSA end-entity certificate from an RSA intermediate. The Let’s Encrypt staging environment will make an equivalent change on April 24th, 2024.

Most Let’s Encrypt Subscribers will not need to take any action in response to this change because ACME clients, like certbot, will automatically configure the new intermediates when certificates are renewed. The Subscribers who will be affected are those who currently pins intermediate certificates.

For more information, see the announcement on our website:

21 Likes

We have identified a small problem with our new staging intermediates, which is delaying the change going live in staging. I will update this thread once the change is made in staging, which should still be within the next week.

12 Likes

This change is now live in staging.

Certificates are being issued from issuers with common names:

(STAGING) Pseudo Plum E5
(STAGING) False Fennel E6
(STAGING) Counterfeit Cashew R10
(STAGING) Wannabe Watercress R11

Please use the next month to test implementations in staging before the new intermediates are deployed to production on June 6th. If you have any issues, concerns, or questions, please ask on this forum.

13 Likes