Keep "Let's Encrypt Authority X3" for renewed certificate

you are thinking of DST root X3, intermediate CA X3 is only a 2 mounth left and cannot sign by current boulder without extend leaf's life behind CA's


X3 is beyond browning out - it is off.
The current pending brownouts are for ACMEv1 deprecation.
See: End of Life Plan for ACMEv1 - API Announcements - Let's Encrypt Community Support


Thanks for the link. I fail to see where exactly it says that the intermediate X3 is Off and cannot be renewed. Can someone post a screenshot of it.

1 Like

Hi @sarathyplkr5

an intermediate certificate isn't something to renew.

That's how the certificate system works.

Root and intermediate certificates are replaced with new private / public keys, not renewed.

Clients should never use hardcoded intermediate certificates. A client with such a behaviour is a wrong configured client.


Beginning Issuance from R3 - API Announcements - Let's Encrypt Community Support


There is much more detail about this in the thread

1 Like

Thank you for help and links!
As I understand right, If my devices could not connect to any external IP (included any CA), I need to keep all chain of trusted certificates in devices.
R3 will be expired 29/09/2021, so, I think, next time i will need to change intermediate certificate maximum in July, 2021. Am I right?

1 Like

Intermediates can change at any given moment without notice.
You should include your own CA root as a safety net.


Thank you very much!


(As a side note, this expiration date is incorrect -- The R3 cross-sign from IdenTrust expires in late 2021, but the R3 issued from our own ISRG Root X1 doesn't expire until 2025. That said, the advice above is still correct! Don't pin or rely on intermediates, as we may have to (for example) switch to using R4 at a moment's notice.)


just to clarify: Until the old Root+ Intermediate will expire there is no chance to renew certificates signed by "Lets Encrypt Authority X3" and "DST Root CA X3"?
Just wondered, because I thought the new options in all those acme clients "preferred chain" or similar are just for this purpose.

Has been retired, and it will soon expire.

It will not be signing anything ever again.

Sure, I know it will expire on 17th of march this year.
It could have been possible to issue certificates until this date :smiley:

Not exactly.
It should never authorize a cert beyond its' own life.
So it had to stop issuing 90 day certs... 91 days before it expires.
[2021/03/17 - 91 days was on 2020/12/16]
As also seen on the first line of this post: Beginning Issuance from R3 - API Announcements - Let's Encrypt Community Support

Thanks, is was just not clear to me.
Because the acme_certificate module in ansible suggests that it is still possible: - the last example selects the chain of the old DST Root.

Sure "possible".
It could now issue a cert with 100 years life on it.
But no browser, nor anyone, would ever honor that cert either (past his own life time).

After re-reading it, I only see: "DST Root CA X3"
Not any mention of "Let's Encrypt Authority X3"

Yes, the signing root certificate, but not the intermediate.

1 Like

Yes, it is unfortunate and does cause a bit of confusion as two thing (both with "X3" in the name, being closely associated with each other) will both expire this year. [about 6 months apart from each other]
But they are two independent things - which were never restricted to only work with each other.
Any trusted root can sign any intermediate or even another trusted root.
[preferably ones with shorter life spans than the one signing]
Any intermediate can be signed by any trusted root or multiple trusted roots.
[preferably ones with longer life spans than the one being signed]

As @aarongable said, the cross-signed R3 expires in 2021 (along with it's root) but the ISRG signed R3 expires in 2025.


I wanted to comment on this thread because you spoke of the "MAX" lifetime of certificates. That is only half the concern. The big concern is the MINIMUM lifetime of certificates.

At any point in time, the following can happen:

  • Your Certificate is revoked.
  • The Intermediate is Revoked (unlikely)
  • The Intermediate Expires (e.g. DST signed certs in September)
  • The Intermediate is Retired (LetsEncrypt decides to no longer sign with that key)
  • The Root Expires (e.g. DST in September)
  • The Root is Revoked (extremely unlikely, but possible)

The danger of certificate pinning, is that while you can generally predict the MAXIMUM life of an Issued Certificate, Intermediate or Root... you can not predict the MINIMUM life for any of these, and your system must be able to adapt to a sudden change.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.