ISRG Root X2 testing

When will we be able to select ISRG Root X2 with --preferred-chain 'ISRG Root X2'?
Specifically will this function be enabled before DST Root CA X3 expires?
Thanks,
Ben.

Hi Ben,

I think it's worth having another look at the certificate diagram on https://letsencrypt.org/certificates.

ISRG Root X2 is not a replacement for ISRG Root X1. Both will be used contemporaneously, the former for ECDSA certificates and the latter for RSA certificates.

Regarding the expiry of DST Root CA X3: right now the default certificate chain you get from Let's Encrypt uses a version of "Let's Encrypt Authority X3" which is cross-signed by this soon-expiring root.

If you want to stop using this cross-signed chain early, you can use --preferred-chain "ISRG Root X1" today.

For everyone else, the cross-signed chain will stop being the default from 11 January 2021.

2 Likes

Hi az, thanks for your feedback.

Do you or anyone else know the date we can use ISRG Root X2?

Thanks again,
Ben.