Small change to end entity certificates: CPS URL and OID will not be included from June 15

jsha · May 12, 2023, 6:28pm

As of June 15, the certificates you get from Let's Encrypt will be a little shorter. We'll be removing some redundant data: the Certificate Policies extension containing the Object Identifier (OID) that identifies our Certification Practices Statement (CPS), along with the URL pointing to that CPS. The OID is already present in our intermediate certificates, and the URL can be found on our website and in the Common CA Database.

We're making this change to save bytes for visitors to websites using Let's Encrypt certificates, and to align more closely with the CA/Browser Forum Ballot SC62, which marks the policyQualifiers field (which contains the CPS URL) as NOT RECOMMENDED.

We expect this change will not cause any breakage for ACME clients or visitors to websites using Let's Encrypt certificates.

mcpherrinm · May 16, 2023, 2:47pm

This change is now live in our staging environment.

mcpherrinm · June 14, 2023, 3:24pm

This change is scheduled to be deployed tomorrow, 2023-06-15.

mcpherrinm · June 15, 2023, 3:46pm

This change has been deployed to our production environment.

mcpherrinm · June 15, 2023, 5:27pm

We have identified that during the deployment of this change, some certificates and precertificates may have mis-matched due to being issued during the deployment of this change. We temporarily halted issuance after being notified of and triaging the problem. We have resumed issuance now. Expect to see incident reports from us in the near future, including revocation of affected certificates.