In productive SAP, we have the certificate CN=R3, O=Let's Encrypt, C=US expiring on 15.09.2025 in STRUST (as intermediate certificate of CN=*.a1c4955.kyma.ondemand.com).
I have currently verified that I only have R10 available, and I would like to know if this certificate will replace R3.
If so, is there any extra care in your update at STRUST?
If it's not too much trouble, I also have the updated ISRG Root X1 certificate at STRUST. Can I dispense with intermediate certificates such as R3 or R10?
If you mean "IdenTrust" with "STRUST", i.e., the cross-sign, then yes, it's A LOT of trouble (and probably $$$) so Let's Encrypt has decided NOT to get another cross-sign.
What does this mean?
There are multiple intermediate certificates in use currently (see above by @9peppe), but R3 is not one of them, it has been retired and won't be coming back.
LetsEncrypt signs all Leaf/EndEntity Certificates with an Intermediate (currently R10, R11, E5, E6), which is signed by ISRG Root X1 or X2.
The intermediates are randomly chosen and may be replaced at any time. R10/R11 can be considered replacements for R3. R3 is retired and will no longer sign anything.
The X1 and X2 root Certificates should be in your trust store.
Enrolling any Leaf/EndEntity Certificate (for a domain) into your system will require enrolling the "fullchain", which is the combination of the Leaf/EndEntity certificate AND the chain of intermediates bridging the trust from that certificate to X1/X2.