Providing a longer certificate chain by default

On May 4, we'll update our API so that ACME clients will download and use a longer certificate chain. This longer chain will ensure our certificates remain compatible with almost all Android devices even after DST Root CA X3 expires on September 30. Most subscribers don't need to make any changes.

This chain will consist of three certificates, instead of the current two:

  • End-entity certificate (aka leaf certificate), signed by R3
  • R3, signed by ISRG Root X1
  • ISRG Root X1, signed by DST Root CA X3

Our API will also offer an "alternate" chain, which you may configure your ACME client to select instead:

  • End-entity certificate, signed by R3
  • R3, signed by ISRG Root X1

We think the long chain is right for most websites. If you know you don't have to support Android users, you may want to choose the short chain.

Our staging environment is already configured to serve a three-certificate "long chain" by default and a two-certificate "short chain" as an alternate. If you have any questions about how your ACME client will handle the change, please go ahead and try it out against the staging environment.

Also, we've updated our Certificate Compatibility page to document the platforms and versions that already trust ISRG Root X1.

15 Likes

This change to our API is now complete in Production. ACME clients should now retrieve the longer ( by one certificate ) chain by default. :confetti_ball:

12 Likes