Hi everyone, Thanks for the great feedback in Let's Encrypt new hierarchy plans . We’re much closer to our key ceremony now. I’ve put together a detailed demonstration at https://github.com/letsencrypt/2020-hierarchy-demo . I’ve attached sample output from a run here, along with OpenSSL textual outpu…

Update: We had our key ceremony yesterday! :tada: We actually decided to use “O = Internet Security Research Group, CN = ISRG Root X2” as the name for our new ECDSA root, for consistency with our existing ISRG Root X1. The new certificates are disclosed in CCADB, and are also published here, along …

I’m wondering if there’re two root certificates named Let’s Encrypt Root x2, one is self-signed, the other is signed by ISRG Root x1. Do we have a plan to submit the self-signed one to the major browsers and OS(like Windows, Java,etc.,)? Is it possible to use sha384WithRSAEncryption or 4096 bit ke…

Every root cert is self-signed. i guess the new CA will be submit to the different major browsers soon after it is created.

I think I understand what’s happening; please correct me if I get something wrong. X2 is a brand new root. It’s going to end up getting published to the various browser/OS/etc root stores, after which both the existing X1 and the new X2 will be the true real ISRG/Let’s Encrypt roots, and both will …

by the way why root cert need to expire at all? If it’s not secure enough like private key leak or crypto break it will removed from trust store, and if it’s still secure but it expired then it will only cause problem to clients.

[image] petercooperjr: I think I understand what’s happening; please correct me if I get something wrong. You did a great job explaining things, @petercooperjr ! Thanks for that. :slight_smile: Also worth noting, since we mentioned it in previous posts but not here: We're planning to also get…

Thanks, I’m glad I’m understanding. So now I have a question, which is really just out of curiosity: If it takes around 5 years before you can rely on root trust stores having a new root, and these intermediates have lifetimes of around 5 years, why would one have E1/E2 signed by X2 rather than X1? …

[image] petercooperjr: why would one have E1/E2 signed by X2 rather than X1? That is, if you need to chain up to X1 for the next 5 years or so anyway (and so you can’t really have a full-ECDSA chain until the next set of intermediates comes along), what’s the advantage of the added step in leaf→…

Heh. Wouldn’t be the first thing I’ve done backwards. I’ll see if I can remember to draw arrows from root to leaf from now on since that’s the “standard”. :slight_smile: One possibility that occurred to me was I didn’t know if routing through X2 allowed browsers/validators to shortcut the top-level…

[image] jsha: FYI lencr.org is not a URL shortener. It’s just another hostname that we control and will configure to directly serve the relevant resources. any chance that domain name might change to something that reads more like "encrypt"?

[image] petercooperjr: . I guess I want to know what the “X” stands for. I assumed it was for X.509

Detailed 2020 hierarchy

Issuance Tech

Topic		Replies	Views
Let's Encrypt new hierarchy plans Issuance Tech	30	10433	September 12, 2020
Let's Encrypt New Intermediate Certificates Issuance Tech	62	6357	February 7, 2024
ECDSA Root and Intermediates ISRG/Organizational	28	8274	June 11, 2020
Preview of our upcoming Root Ceremony Issuance Tech	29	1598	August 24, 2025
Renewing X2-by-X1 cross-signed root Issuance Tech	38	1575	May 16, 2024

Detailed 2020 hierarchy

Related topics