I saw the announcement today for Gen Y issuance using tlsserver and shortlived profiles (here).
And, most of the Certificates page is updated for that.
But, the Chains section at the bottom of that page does not describe Gen Y. See: Chains of Trust - Let's Encrypt
In the past we have had many questions from people interested in shortening their chain or otherwise optimizing it for their audience. Would be helpful if that page described the default and alternate chains.
Thanks for noticing! I've got a PR to update the "Chains" section here: Document chains inline with active intermediates by aarongable · Pull Request #2124 · letsencrypt/website · GitHub
Can you also document what the alternate chains are called? (i.e. the chain "name" to request)
I had to click on the certbot documentation link to find out it's the Subject name of the topmost cert.
Alternate chains have no names in the ACME protocol, they're just alternates. There's an index number, but that's it. Chain naming is made locally by the ACME client and as such may differ from client to client. That said, the certbot naming scheme is fairly common (and makes the most sense IMHO).
Can the Certificate Compatibility - Let's Encrypt page be also updated with information regarding the Y Hierarchy. I know the Y Roots are cross signed with the older X Roots. But some clients handle chaining badly, so knowing the minimum versions of the client which has the new Y Roots in their trust stores is useful for the community.
@vgk good point, I actually haven't seen Root YR/YE in any trust stores yet - although I'm just checking current Windows, Firefox and Chrome as examples.
The compatibility page will be updated when we submit the roots for inclusion. That hasn't happened yet, but we'll let you know when it does.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.