Let's Encrypt New Intermediate Certificates

mcpherrinm · January 8, 2024, 6:36pm

There will be one new chain: Because the ECDSA intermediates are going to be signed by X1, there's going to be options:

ecdsa-leaf -> eN-by-X1 -> X1-root
ecdsa-leaf -> eN-by-X2 -> X2-root
ecdsa-leaf -> eN-by-X2 -> X2-by-X1 -> X1-root

I'm not sure what we'll have as the default in ACME, but it'll presumably be one of the chains to X1. I think we'll make a later announcement about actually changing the chains offered as part of the /launch/ of the new intermediates (this announcement is just creation -- there will be a gap before they go live)

For the RSA intermediates, they will only be signed by X1, so there will be no alternate chains at all (once DST X3 has expired)

jvanasco · January 8, 2024, 9:47pm

Thanks. I never thought about chains before and then looked at the RSAs and realized the scenarios are likely:

rsa-leaf -> R5 -> X1
rsa-leaf -> R6 -> X1

system · February 7, 2024, 9:48pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Deploying Let's Encrypt's New Issuance Chains API Announcements	6	5005	June 6, 2024
Let's Encrypt new hierarchy plans Issuance Tech	30	10229	September 12, 2020
When will the Root/Intermediate Certs be available Help	4	2398	October 2, 2021
Policy on Issuance Chain Changes Issuance Policy	11	198	September 12, 2024
ECDSA intermediate issuance Help	15	5140	June 18, 2021

Let's Encrypt New Intermediate Certificates

Related topics