Small change to end entity certificates: CPS URL and OID will not be included from June 15

As of June 15, the certificates you get from Let's Encrypt will be a little shorter. We'll be removing some redundant data: the Certificate Policies extension containing the Object Identifier (OID) that identifies our Certification Practices Statement (CPS), along with the URL pointing to that CPS. The OID is already present in our intermediate certificates, and the URL can be found on our website and in the Common CA Database.

We're making this change to save bytes for visitors to websites using Let's Encrypt certificates, and to align more closely with the CA/Browser Forum Ballot SC62, which marks the policyQualifiers field (which contains the CPS URL) as NOT RECOMMENDED.

We expect this change will not cause any breakage for ACME clients or visitors to websites using Let's Encrypt certificates.

This change is now live in our staging environment.

This change is scheduled to be deployed tomorrow, 2023-06-15.

This change has been deployed to our production environment.

We have identified that during the deployment of this change, some certificates and precertificates may have mis-matched due to being issued during the deployment of this change. We temporarily halted issuance after being notified of and triaging the problem. We have resumed issuance now. Expect to see incident reports from us in the near future, including revocation of affected certificates.