Currently, you offer two chains:
R3 (signed by ISRG Root X1) -> Subscriber certificate [default]
R3 (signed by DST Root CA X3) -> Subscriber certificate
and you mention that soon you will be moving to
ISRG Root X1 (signed by DST Root CA X3) -> R3 (signed by ISRG Root X1) -> Subscriber certificate [default]
R3 (signed by ISRG Root X1) -> Subscriber certificate
Two questions about how this transition is going to be managed:
- Are you going to start offering the longer chain as an alternate before you switch it over to be default, so that we have time to test with it?
- Once you do switch over to the longer chain as the default, will you still offer R3 (signed by DST Root CA X3) as an alternate?
We currently have code that selects the R3 signed by DST Root CA X3 chain using the alternate mechanism (done to prepare for the abandoned switch to ISRG Root X1 plan) and would like to know if we need to roll that back. It'd also give us an opportunity to see if there are any unexpected bumps in the road with the longer chain.