Meaning of "X" in intermediate cert, multiple anonymous registrations ok?


#1

Hi all,

I have two questions for which I was unable to find answers:

  1. Let’s Encrypt issues certificates from the “Let’s Encrypt Authority X3” intermediary. The meaning of “3” is clear both from context and the CPS as being a monotonically increasing number for each version of the certificate.

However, what’s the meaning of the “X”?

In other CAs, I often see “G” being used to distinguish different “generations” of roots/intermediates (e.g. “G2”, “G3”, etc.), but Let’s Encrypt is the only CA I’ve seen to use “X” and I was curious as to why.

  1. When running an ACME client (so far I’ve used certbot and dehydrated) for the first time, a new account key is generated to register with Let’s Encrypt and sign requests to the ACME server. One can optionally include an email address to get expiry notifications. All well and good.

However, is there any problem with a single individual having multiple registrations – particularly ones without email addresses? I ask because I’ve deployed Let’s Encrypt certificates on several systems and each one generates a new key and registers separately and I don’t want to inadvertently violate a policy.

Thanks!


#2

Good question :slight_smile: I’m not sure myself but will ask around.

There’s no policy against having multiple registrations with the same email address. I’d point out that there is however a rate limit for the number of registrations for a given IP within a fixed time frame (500 Registrations per IP Address per 3 hours). You can read more about that on the rate limits page.

Another thing to consider is the administrative/security overhead of multiple account keys. In our integration guide under the “One Account or Many?” section we say the following:

However, for most larger hosting providers we recommend using a single account and guarding the corresponding account key well. This makes it easier to identify certificates belonging to the same entity, easier to keep contact information up-to-date, and easier to provide rate limits adjustments if needed. We will be unable to effectively adjust rate limits if many different accounts are used.

Your situation might make multiple accounts the better solution but its something to consider :slight_smile:

Hope this helps,


#3

Good question :slight_smile: I’m not sure myself but will ask around.

Awesome, thanks! Also, my statement was not entirely accurate: the DST root which has signed the Let’s Encrypt intermediary also uses the X notation. I had forgotten about that until now.

I assume that someone thought the X sounded pretty cool, so they went with it, but I’m sure there’s an actual backstory as to why.

There’s no policy against having multiple registrations with the same
email address. I’d point out that there is however a rate limit for the
number of registrations for a given IP within a fixed time frame (500
Registrations per IP Address per 3 hours).

Indeed. I’m not anywhere near hitting any of the rate limits, especially the registrations-per-IP limit. It’s just that the different systems I maintain use different ACME clients with different storage formats for registration data. I could move the account key from one system to the next but it’d require manual rewriting of config files to make everything work. In my case, it’s easier to just run the script for the first time and have it generate a new key. Since I’m exceedingly lazy and there’s no particular technical or policy reason not to do that, I think I’ll just stick with that. :wink:

On a related note, I wanted to thank you guys for permitting anonymous, automated registration rather than requiring one first manually register for an account on the website, provided various personal information, need to copy-paste API keys, etc. It’s a refreshing change from the status quo.


#4

I asked one individual who has been with the project from the start and they said there’s no specific meaning to our use of “X” but that it probably came from following Identrust’s lead with their “DST Root X3”. Perhaps Identrust could tell you why they picked “X” instead of “G” or another letter. Maybe they’'re big X-men fans :laughing:

You’re welcome! Thanks for the kind words/support.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.