SoylentNews

upstart writes:

Submitted via IRC for Bytram

Let's Encrypt to transition to ISRG root

Let's Encrypt have announced that on July 8th, 2019 they will begin issuing new certificates from their own intermediate CA and not their current cross-signed intermediate. Here's what that means and what action, if any, site operators need to take.

[...] Like all new CAs, Let's Encrypt began life with a cross-signature. Cross-signing is a trick that CAs can use to avoid the years long process of becoming a root CA. It genuinely does take many years to go through this process and Let's Encrypt wouldn't have been able to issue any certificates over the last 3+ years without a cross-sign.

[...] In short, Let's Encrypt currently issue from their cross-signed intermediate, which is issued to them by IdenTrust. IdenTrust have been a CA for many years and even old, legacy clients recognise them as a CA. When you get a certificate from Let's Encrypt right now it is issued by the cross-signed X3 intermediate which chains to the IdenTrust root. Now that Let's Encrypt's ISRG root is widely trusted, they can instead switch to issuing from their own X3 intermediate instead of the cross-signed one. This is a big step forwards for them and will likely not mean anything to the vast majority of their users. There are a few considerations though.

Useful links and information

Let's Encrypt transition announcement: https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html

Let's Encrypt ISRG root coverage: https://letsencrypt.org/2018/08/06/trusted-by-all-major-root-programs.html

The Best TLS Training in the World: https://www.feistyduck.com/training/the-best-ssl-and-tls-training-in-the-world

Original Submission