How do I know when Let's Encrypt will renew or issue me a certificate signed with a new intermediary?

I am using Let’s Encrypt on my server to issue certificates and auto renew them every 3 months.

I am using IOT devices that have the intermediary certificate Let’s Encrypt uses ( Let’s Encrypt Authority X3) embedded in the firmware so I can validate I am talking to my server.

This intermediary certificate appears to be valid until 2021.

I am wondering if there is any way for me to know when my server certificates will become signed by a new intermediary so I can push a firmware update? Will this intermediary keep signing my certificates? Up until when?

Maybe there is no way to know, in which case is there a better way to do what I’m doing? I didn’t really want to be my own CA and self sign just the endpoint the devices connect to.

Amazon’s IOT platform uses a CA certificate that is valid until 2049, but I don’t use their services.

So it looks like all the intermediary certificates actually have the same public key, will this continue when the issue new ones?

You should never trust intermediates.

The issuer/intermediate may be replaced at any time (in cases, for example, if it suffered online compromise and had to be revoked). The way the ACME protocol is written, you could get a certificate from a different issuer at any moment.

I think the idea is that you should have some trust anchors embedded in your firmware. The ones that Let’s Encrypt uses are ISRG Root X1 and DST Root CA X3 (expiring 2035 and 2021, respectively). They provide the proof that the intermediates used by Let’s Encrypt are trustworthy.

If you are pushing firmware updates to your devices, you should be signing the updates with a key that will be valid for at least as long as the maximum lifetime of your devices. If you do that, you can just include an up-to-date set of trust anchors/roots in each update.

This is similar to how Linux distributions work - they get their ca-certs via packages signed using a longer-term fixed signing key (the firmware signing key, in your case).


Thank You!

I have been looking at this and you are confirming what I have been piecing together.

I can include both ISRG Root X1 and DST Root CA X3 on the device and hope that after DST Root expires Let’s Encrypt starts using ISRG Root, then I won’t have to do anything. If I do need update the CA certs trusted by the embedded TLS (maybe my devices last until 2035 haha), then I will issue a signed firmware update to the device.

Probably not terribly helpful to point out, but here we go anyway - you can use the ISRG-signed intermediate right now, by sending the ISRG-signed "Let's Encrypt CA X3" certificate instead of the DST-signed one. You don't technically need to wait.

It's probably a somewhat shady thing to do, though, because it involves manually managing what intermediate you are sending from your server, and explicitly ignoring the intermediate sent to you via ACME.

@_az Cool, I haven’t read too much into Let’s Encrypt’s certificate chain until today. I was wondering how I could use that certificate today since the certificates page says it is cross signed with ISRG too. My Digital Ocean load balancer setup only sends the DST signed one. Maybe I’ll have to try using the tools to get a certificate myself instead of Digital Ocean managing it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Looks like Let’s Encrypt have announced they are dropping the cross-signing this year.

July 8, 2019 - ACME server will send the non-cross-signed issuer/intermediate with newly issued certificates.