Publish new root certificates soon

Hi.
I think you need to gets your skates on and publish new root certificates soon.
If a root certificate is valid for 10 years, you need to renew it every 5 years, otherwise you cannot generate intermediate certificates valid for 5 years.
If an intermediate certificate is valid for 5 years, you need to renew it every 3 years, otherwise you cannot generate end user certificates valid for 1-2 years.

Your existing root certs are expiring very soon, (months away) and should have been renewed 5 years ago!!!
You have to also allow significant time for the new root certificate to be distributed to everyone’s PC, laptop, mobile phone etc.

Kind Regards

James

Hi @jcdutton, welcome to the community! I’ve moved this out into its own thread because it’s more a discussion of timing than of the specific issuance plans.

Indeed, we plan to publish a new ECDSA root certificate in the next few months, which is the purpose of this thread and the upcoming ceremony.

Our current root certificate, ISRG Root X1, is valid for 20 years, until 2035. Our new ECDSA root will also be valid for 20 years.

You may be thinking of our cross-sign / sub-CA from IdenTrust’s DST Root X3. That indeed expires on March 17 2021. One of our upcoming goals is to have IdenTrust sign the newly issued R3 and R4 intermediates, so we have a sub-CA valid through Sep 2021. Unfortunately, that is when DST Root X3 expires. Perhaps you’re thinking of DST Root X3 when you say our root is expiring soon? We discuss the issue at https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html.

We indeed did let things go longer than we would have liked before generating new intermediates. My apologies for that. Keep in mind that we have never generated end-entity certificates valid for more than 90 days.

4 Likes

If an intermediate certificate is valid for 5 years, you need to renew it every 3 years, otherwise you cannot generate end user certificates valid for 1-2 years.

That’s not quite right. Intermediate certs can be used immediately after they’re issued, since they chain up to the root. It’s only root certificates that you need to wait until they’re on everyone’s device before you start using them.

Your existing root certs are expiring very soon, (months away) and should have been renewed 5 years ago!!!

You might be thinking of DST Root X1, which expires in September 2021. Let’s Encrypt already has their own root certificate in every major root store, ISRG Root X1. This expires in 2035, so no hurry to replace it. Their root was issued in 2015, so that follows the timeline you suggest - five years between issuance until they started using it. (It’s going to become the default for newly-issued end-user certs starting next month.)

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.