Enabling SHA256 Subject Key Identifiers for end-entity certificates

Let's Encrypt is updating the way we compute the unique and opaque "Subject Key Identifier" field in end-entity certificates. Previously, we used a SHA1 hash, as suggested by RFC 5280 Section 4.2.1.2. Going forward, we will be using the first 160 bits of a SHA256 hash, as standardized by RFC 7093 Section 2(1). This should not have any effect on Let's Encrypt Subscribers, nor on visitors to Subscribers' websites.

We intend to deploy this change in staging tomorrow January 10. Assuming the staging deploy goes smoothly, we will deploy this to production on January 17. All updates will be posted here.

19 Likes

This change has been deployed in staging.

11 Likes

We are pushing the production deploy date to Tuesday January 23.

8 Likes

This was deployed to production today, January 25.

13 Likes