When will Let's Encrypt switch to chain "Subscriber Certificate < – R3 < – ISRG Root X1 < – DST Root CA X3"?

As described here: Extending Android Device Compatibility for Let's Encrypt Certificates - Let's Encrypt - Free SSL/TLS Certificates
It's late February and we still obtain certificates with the chain "Subscriber Certificate < – R3 < – DST Root CA X3".
Is there some roadmap for this? Does anybody know?
Thank you.

3 Likes

Hi filip, welcome back! There have been multiple posts on this topic recently. The most recent post in API Announcements shows that we have just started serving the longer chain in Staging, and replies on similar topics show that we haven't given a firm date but we'll be sure that there are lots of announcements when we do.

2 Likes

@aarongable I have a related question, which hopefully you can answer...

Considering Certificates are designed to be a 90 day time period, is it safe to assume the LATEST date this change will happen is "September 30, 2021 - 90 days", which would roughly be around "June 30th 2021" – or is ISRG unable to guarantee a root shift will happen before then, and there might be a period where certificates are valid for less than 90 days? Emphasis on "a", ISRG might use another root/chain!

2 Likes

Yes, it is safe to say that we intend to make the switch significantly prior to June 30th.

Note that the certs themselves would not be invalid, since they will still be issued by R3, but the chains downloaded by ACME clients at issuance time would become invalid and that would be an issue.

3 Likes

@aarongable Thank you.

2 Likes

:partying_face: :partying_face: :partying_face: :confetti_ball: :confetti_ball: :confetti_ball: :boom: :boom: :boom: :rainbow: :rainbow: :rainbow: :tada: :tada: :tada:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.