I’m afraid you’re correct. This won’t move up the date for an ECDSA intermediate. We’ll be using the same intermediate key, but with a new cert that has a new Subject and lacks the nameConstraints.
well depending whether firefox works with SP2 t could even work there. even with EC.
point is that unlike most other browsers Firefox does its own encryption etc. so even if the system is way too old, Firefox could access high-security HTTPS Pages.
Please publish new ca certs as soon possible, because i am using HPKP and have it locked to LEAX1 and LEAX2 certificates. I need add keys from new crs (LEAX3&4) as early, before they reach production.
@jsha, So just so that I do it right, all I need to do now is to run
letsencrypt-auto certonly
Then how do I determine if it has successfully installed the new cert and is working now with XP? I tried the above, and it said it was successful, but my users are still saying they can not access.
Your certificate was issued on March 3rd. Did you reload your web server? Changes to certificate files won’t be picked up otherwise.
If restarting the web server doesn’t help:
Was ./letsencrypt-auto certonly the complete command you ran? You’ll probably want to run the exact same command you ran initially when you first got your certificate, plus --force-renewal. You could also try ./letsencrypt-auto renew --force-renewal.
One issue: The default cipher suites and protocols configured by the Let’s Encrypt client are not compatible with Windows XP. If you need to support XP users, you will want to use the “Old” settings from Mozilla’s TLS configuration page.
Well, helloworld is (/was?) also the first valid certificate of Let’s Encrypt ever, right? So in a way it’s some sort of a milestone… Something rememberable.
Somehow it’s also a shame if that first ever valid certificate goes away, right?