Future of cross signed roots


I'm working on an embedded device with limited memory.
The server, until now, uses a certificate derived from ISRG Root X1 (RSA). If I under stand the cross-signing correct, it is possible to validate RSA and EC with ISRG Root X1 because of the cross signing?
What's the cross signing policy for the next root certificates when X1 expires? Will the next RSA root also cross signed to ISRG Root X2 (EC)?

My point is, can I assume that the following RSA certificate (after 2035) can also be used to check the EC path or will the RSA and EC paths completely separated?


1 Like

Check this thread:


There's a cross sign from ISRG Root X2 to ISRG Root X1 to increase compatibility, yes. For the short term future (the next few years) there will be cross-signed intermediates to either ISRG Root X2 or ISRG Root X1, depending on what the server operator chooses to serve.

Note that these cross signs are completely optional (both already and in the future): Any server operator can choose to not serve them. Eventually, as ISRG Root X2 is widely trusted many server operators will stop serving compatibility chains up to X1, if they use ECDSA. It is also possible that Let's Encrypt will eventually stop providing such cross-signs in some years.

ISRG Root X1 expires in 2035. Whatever happens, Let's Encrypt will have long stopped using ISRG Root X1 in 2035. There will most likely be a new root by then (something that doesn't exist yet), perhaps even different algorithms. I would not rely on being able to validate anything with X1 in 2035 and beyond.

Separating RSA and EC paths is something that is already possible today, and will be possible in the future. Maybe it will become the only path in the future.

For any TLS device using the public PKI, you need an option to update the root certificates stored on that device. Let's Encrypt may migrate to different roots at any time, may shut down completely or other unforeseeable circumstances radically change things. The general recommendation is to ship your own root certificate that you can use in emergencies to push updates. Note that if storage is limited, ECDSA certificates are typically less than half the size of an equivalent RSA certificate.


Being able to update roots is important. We can’t guarantee any particular future of our PKI.

Our Root X1 is widely trusted, so it is very likely that any future roots will be cross-signed by Root X1 until its expiry in 2035.

After that, I suspect the web PKI may start to look very different. We may not issue any future RSA roots, and transition entirely to ECDSA and/or post-quantum signing algorithms. We may not issue long-lived roots again at all, as there’s been a push to shorten root lifetimes and replace them more frequently.

If you have devices intended to be supported beyond 2035 that uses Let’s Encrypt, you must build in an update mechanism.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.