ISRG Root X2 testing

bcorby · October 9, 2020, 2:44am

When will we be able to select ISRG Root X2 with --preferred-chain 'ISRG Root X2'?
Specifically will this function be enabled before DST Root CA X3 expires?
Thanks,
Ben.

_az · October 9, 2020, 3:14am

Hi Ben,

I think it's worth having another look at the certificate diagram on https://letsencrypt.org/certificates.

ISRG Root X2 is not a replacement for ISRG Root X1. Both will be used contemporaneously, the former for ECDSA certificates and the latter for RSA certificates.

Regarding the expiry of DST Root CA X3: right now the default certificate chain you get from Let's Encrypt uses a version of "Let's Encrypt Authority X3" which is cross-signed by this soon-expiring root.

If you want to stop using this cross-signed chain early, you can use --preferred-chain "ISRG Root X1" today.

For everyone else, the cross-signed chain will stop being the default from 11 January 2021.

bcorby · October 9, 2020, 4:50am

Hi az, thanks for your feedback.

Do you or anyone else know the date we can use ISRG Root X2?

Thanks again,
Ben.

system · November 8, 2020, 4:50am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ISRG Root X1 replaces DST Root CA X3? Help	6	1511	October 29, 2021
IdenTrust DST Root CA X3 expiry Help	18	5233	November 6, 2021
Issue root ISRG Root X3 with RSA cross-signed by ISRG Root X1 Issuance Policy	11	1369	December 19, 2022
Can not connect using ISRG root X1 Issuance Tech	21	1876	September 25, 2021
KeyStore / ISRG Root X1 Help	7	1614	October 8, 2021

ISRG Root X2 testing

Related Topics