I have been using "ISRG Root X2" with acme.sh since the beginning, just curious if it is still needed after so many years, I switched to tlsserver profile and wondering if it still provides the shortest ECDSA chain if I omit the X2 flag in new servers. Just wanted to know if just using "tlsserver" profile flag is good enough for the short ECDSA only chain.
Thanks.
The default chain is still to X1 no matter which profile or key type you use as documented at Chains of Trust - Let's Encrypt under each intermediate certificate.
Specifying X2 is typically required for the shortest generally trusted chain. YE/YR (at least until a few days ago) could be used as the root certificate for the chain, however they're not generally trusted as root certificates at the moment so the shortest chain might not be suitable.
New chain Y is also the reason I asked this question. Chains change all the time and I think there should be a flag just to request the short ECDSA only chain irrespective of chain in use. Like acme.sh --chain-ecdsa and Letsencrypt offers the ECDSA only certificate. Letsencrypt should do something about it.
Let's Encrypt doesn't directly choose which certificate chain to use. Instead through the ACME protocol, a list of chains is presented to the client (with one preferred chain) and the client has to choose a chain to use.
Clients are free to select which chain to use and caddy currently supports something similar to what you're suggesting through the preferred_chains smallest option. (Global options (Caddyfile) — Caddy Documentation)
YE/YR are currently the reason I do not suggest using the shortest chain as the certificates are missing from almost all root trust stores.
The generation Y roots have not been submitted to any root program yet, so they shouldn't be included anywhere yet.
This is why there has to be an option for selecting a dedicated chain. Letsencrypt forced automation by issuing 90 days certificate but there is no way to set a preferred chain, the current solution is to change the name in the preferred chain for every server. Once the post quantum chain comes you have to do it all over again.
There should be something similar to this for ECDSA or PQ. acme.sh --preferred-chain "ECDSA"
Ultimately, there isn’t always one chain that is best to serve, because it might differ by your client.
The Microsoft IIS server serves the shortest chain based on its trust store, but that often causes compatibility problems for clients which don’t have an up-to-date trust store.
There are potential solutions coming in the future like draft-ietf-tls-trust-anchor-ids-04 - TLS Trust Anchor Identifiers which can help serve shorter chains or even different leaf certs.
Until then, personally I would want to just pick a root that I know will be widely trusted. Let’s Encrypt offers a default chain that we believe is maximally widely trusted (always chaining to X1 for the next few years at least), but you could opt for X2 today. You probably don’t want to opt to a chain ending in YE unless you also control all your clients.
That being said, is there a reason for not cross-signing Root YE from Root X1, to get a shorter chain:
EE <= YEn <= YE <= X1 instead of current EE <= YEn <= YE <= X2 <= X1 ?
Or are there clients that will distrust X1 in the near future, but not X2, so the maximum chain is needed for maximum compatibility?
X1 is 5 years older than X2, so we believe that it'll start to drop out of root stores well before X2. As a result we'd like to keep it in chains so users can choose an entirely ECDSA chain to a widely trusted root.
If there's any cross-sign we add, it'll be YR-by-X2, before we drop X1 from default chains. We're not doing that today to allow RSA-only implementations to continue to exist.
X2 is relatively widely trusted at this point, too, so YE_ → YE → X2 is going to be a pretty decent chain to serve if you can swing it (Android in particular is still going to be the biggest compatibility hazard until 14+ is ubiquitous).
When we introduce ZE and ZR in 2030, they'll be cross-signed by YE and YR. And then αE and αR in 2035 will be cross-signed by ZE and ZR. Of course, we'll have to wait and see if RSA and ECDSA roots are still being trusted in 2035 at all.