ISRG Root X2 testing

When will we be able to select ISRG Root X2 with --preferred-chain 'ISRG Root X2'?
Specifically will this function be enabled before DST Root CA X3 expires?

Hi Ben,

I think it's worth having another look at the certificate diagram on

ISRG Root X2 is not a replacement for ISRG Root X1. Both will be used contemporaneously, the former for ECDSA certificates and the latter for RSA certificates.

Regarding the expiry of DST Root CA X3: right now the default certificate chain you get from Let's Encrypt uses a version of "Let's Encrypt Authority X3" which is cross-signed by this soon-expiring root.

If you want to stop using this cross-signed chain early, you can use --preferred-chain "ISRG Root X1" today.

For everyone else, the cross-signed chain will stop being the default from 11 January 2021.


Hi az, thanks for your feedback.

Do you or anyone else know the date we can use ISRG Root X2?

Thanks again,