Issuance on R3 vs. X3: is this configurable?

Hi everyone! For all of you guessing that issuance would begin from R3 "soon", you're right! See the announcement post here: Beginning Issuance from R3

To answer the original question: No, you will not be able to configure whether your end-entity certificate is issued by R3 or issued by X3. When we begin issuance from R3, it will be replacing X3, not co-existing side-by-side.

Some additional context and detail, to help remove any pieces of confusion brought up in this thread:

As @_az pointed out, there are two separate events coming up: changing our issuance from X3 to R3, all while continuing to chain up to IdenTrust's DST Root CA X3 trust anchor; and then changing our chain from DST Root X3 to our own ISRG Root X1 trust anchor. The former is time-constrained by the expiration of our X3 intermediate (it was issued with 5 years of validity back in 2016); the latter is effectively time-constrained by the expiration of DST Root CA X3 (it was issued with 21 years of validity back in 2000). Although these events seem related and are happening at around the same time, conceptually they are wholly orthogonal and could happen in either order, completely independently.

When we talk about chains of trust, it is really easy to get confused about what it means to be "issued by" something. Remember that certificates do not issue other certificates: private keys issue certificates. The acme client does not have control* over what private key is used to issue the requested end-entity certificate. But, there might be multiple certificates which all say "I trust this intermediate public key", signed by various different root private keys. In our case, all of our issuing private keys (e.g. X3 and R3) have two certificates indicating trust in them: one each signed by IdenTrust's DST Root CA X3 and by ISRG's Root X1. Our ACME API provides as a courtesy the ability to control which of those two certificates you get bundled with your new end-entity certificate. But at the end of the day, they both represent the same private key which issued your new cert.

* It will have some control when we begin parallel issuance from E1: the ability to choose between R3 (RSA) and E1 (ECDSA). But that's a separate conversation.