Why does Let’s Encrypt R3's cert use lower RSA than the root cert?

Whilst browsing through the certificate chain, I noticed that the Intermediate Certificate (Let’s Encrypt R3) uses RSA 2048 whilst the Root Certificate (ISRG Root X1) uses RSA 4096. Shouldn't R3 use 4096 as well to maintain the standard?

1 Like

There are various differences between a root and an intermediate certificate that justify varying choices in security parameters such as keylength.

First of all, Let's Encrypts/ISRGs root certificate ISRG Root X1 is valid for around 20 years. Let's Encrypts current intermediate R3 is only valid for 5 years. This means that the root is valid for much longer and hence must remain secure for longer.

In addition, intermediates can be changed within minutes**, if required. Let's Encrypt even has a reserve intermediate certificate R4 on standby for emergencies (with key compromise certainly being an emergency). Generally intermediates are much less troublesome: Intermediates can be reissued and revoked much faster and reliable compared to roots. Getting a root into a trust store is a slow process that takes many years. Revoking a root is difficult or even impossible in some cases. Intermediates are much more agile in this respect and thus can justify a lower security level compared to roots.

Next, there is a cost associated with long keys: The computations of a RSA 4096-bit key are roughly 3-10 times* as expensive compared to an RSA 2048-bit key. For performance it is beneficial to have the live intermediate, which signs millions of certificates every day, use a faster algorithm: Not only does this save resources on Let's Encrypts hardware, but is also faster for clients connecting to a website secured with a Let's Encrypt certificate. An intermediate certificate may be pre-verified, but this doesn't work with leaf certificates (those signed by intermediate), because there are over 3 billion unexpired certificates worldwide.

There is also the open question, what value an RSA 4096-bit key has over a 2048-bit key. We don't know of any system that can break a 4096-bit key, but neither is there one for 2048-bit keys. So what is the value of it? For the root certificate, we want to guard against eventualities "what is the situation going to be in 10 years? Don't know", but for the intermediate this eventuality risk is less severe. If there is no reason to believe that a 2048-bit key might be broken, there is hardly any value in going for the more expensive, and less compatible, key sizes. Of course this evaluation can change at some point and we will move away from 2048-bit RSA keys. In 2020, when R3 was generated, 2048-bit keys were still a sensible choice. Maybe the intermediate in 2025, or 2030, will be a 4096-bit key or even an entirely different (PQ-safe?) algorithm? Who knows.

*Exact values depend a lot on hardware and algorithms used. Signing operations are significantly more expensive than veryfing operations on RSA.

**Assuming the infrastructure and actual certificate are already in place. Generating an intermediate is a process that involves legal audits and as such, is usually not that fast-


And to state the unmentioned but obvious: This is not an LE only condition.
If you check with any other high volume global CA, you will find very similar setups.

So your question becomes:
Why do CAs use lower keylength intermediates that their roots?
[which is generically answered in post #2]


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.