Keep "Let's Encrypt Authority X3" for renewed certificate

Yes, the signing root certificate, but not the intermediate.

1 Like

Yes, it is unfortunate and does cause a bit of confusion as two thing (both with "X3" in the name, being closely associated with each other) will both expire this year. [about 6 months apart from each other]
But they are two independent things - which were never restricted to only work with each other.
Any trusted root can sign any intermediate or even another trusted root.
[preferably ones with shorter life spans than the one signing]
Any intermediate can be signed by any trusted root or multiple trusted roots.
[preferably ones with longer life spans than the one being signed]

As @aarongable said, the cross-signed R3 expires in 2021 (along with it's root) but the ISRG signed R3 expires in 2025.


I wanted to comment on this thread because you spoke of the "MAX" lifetime of certificates. That is only half the concern. The big concern is the MINIMUM lifetime of certificates.

At any point in time, the following can happen:

  • Your Certificate is revoked.
  • The Intermediate is Revoked (unlikely)
  • The Intermediate Expires (e.g. DST signed certs in September)
  • The Intermediate is Retired (LetsEncrypt decides to no longer sign with that key)
  • The Root Expires (e.g. DST in September)
  • The Root is Revoked (extremely unlikely, but possible)

The danger of certificate pinning, is that while you can generally predict the MAXIMUM life of an Issued Certificate, Intermediate or Root... you can not predict the MINIMUM life for any of these, and your system must be able to adapt to a sudden change.