ECDSA availability in production environment

We officially have our ECDSA intermediate up and running in Production, and are ready to allow-list accounts to try this feature! With a production allow-listed account, all requests for certificates with ECDSA keys will be issued from our ECDSA hierarchy. There will not be a way to get an RSA certificate for an ECDSA key, nor vice versa; the way to control which issuer you get is to control what kind of key you generate locally.

All certificates issued by this intermediate will come with this chain:

end-entity certificate <-- E1 <-- ISRG Root X2 <-- ISRG Root X1

We will not offer an alternate, shorter chain rooted at X2 until X2 is accepted into most root programs' trust stores.

ECDSA issuance is available for all Staging accounts and can be used for testing.

Before signing up please note an account cannot be removed from the allow-list.

If you would like your account to be allow-listed for ECDSA issuance in Production, please fill out this form:

We'll be processing allow-list requests in batches, most of which will go out Thursday with our normal Production updates.

At this time, we don’t have a date for removing the ECDSA allow-list. If you have additional questions, we've started a thread here.