New Intermediate Certificate Timeline

I saw that the new intermediates were issued last month, but I was wondering if there is a rough timeline available for when the new intermediate certificates will be put into rotation. Also curious if the new intermediates will be added to the current ones, or if there will be a hard switch.
Ex, period when R3 and R10 / R11 are randomized issuing certs or immediate switch from R3 to only R10 / R11 randomized.

For reference: Trying to push co-workers away from pinning intermediate certs, but they tend to back burner things until there is an EOL on the horizon.

1 Like

The official announcement should be out this week.

5 Likes

IMHO, they should not pin. Here are two comments from ISRG staff in a semi-recent threat about this. My takeaway is the LE staff have long been eager to start making some architecture changes - both in networking and certificate chaining - and we should expect them to start acting on this quickly after the infrastructure changes.

5 Likes

Yep, both @MikeMcQ and @jvanasco are correct: you should see another announcement from us detailing our plans -- including the date we intend to switch things up -- later this week. And please show these comments from us to your coworkers as encouragement to not pin: it does not provide the security benefits that people hope it does, and it causes breakages when we change our issuance hierarchy.

9 Likes

Link to official announcement:

2 Likes

2 posts were split to a new topic: Renewing X2-by-X1 cross-signed root

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.