I would very much appreciate some further information as our organization will be affected by this change.
My questions are:
As part of the change over, will the existing certificates (such as R3 and R4, which currently expire in September 2025) be revoked?
What time will this changeover be happening on June 6th 2024?
Once the change over has occurred, will the intermediate certificates in use be the primary ones (R10 and R11) as opposed to the back up ones (R12, R13 and R14), at least initially?
Any information that you can help with to answer these would be greatly appreciated.
No, they'll still be there, and certificates issued by them will still be valid for their normal duration. (Like if a certificate is issued today by R3, then it will still be valid for its usual three months from now).
They haven't given an exact timeline; the closest is this post saying that it will likely be in the afternoon (North America time). I think they have a lot of things to line up to get it done and don't want to be tied to some external timetable.
For RSA certificates, yes. ECDSA certificates (which newer systems often use by default) will be issued from E5 & E6 initially.
R3 and R4 will not be revoked. The switchover will happen sometime during afternoon business hours in Eastern time. The initial set of issuing intermediates will be E5, E6, R10, and R11, but you should be prepared for any intermediates to be used.
The Intermediate Certificates are not being revoked. No existing services or certificates will be affected. LetsEncrypt is simply cycling in new Intermediate Certificates with advanced notice. ACME clients properly designed to the RFC Specifications, and proper integrations, should have no issue with this - they all should be able to handle any change in intermediates without any notice.
The time of the changeover is immaterial. You should expect it to happen any time after 12:00am.
The specific intermediates are immaterial. If your systems are cognizant of the intermediates in any way, you have integrated an anti-pattern.
The only impacts your organization should have:
1- If you have clients that do not trust the ISRG Root X1 Certificate, you will need to renew on June 5th. That will give you until September 5th to either update your clients OR switch to a new CertificateAuthority.
2- If your systems are improperly designed and hardcode a specific certificate chain, expect things to break. This is very rare as major clients have never done this, and most minor/esoteric clients have guarded against this for many years (as there have been many chain switches)
Thank you this helps. We want to monitor the certificate chain on that day to make sure everything stays ok and this gives us some idea of the likely timeframe