Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

Let's Encrypt to Transition to ISRG Root

posted by Fnord666 on Tuesday April 23 2019, @09:11AM   Printer-friendly
from the getting-to-the-root-of-the-issue dept.

upstart writes:

Submitted via IRC for Bytram

Let's Encrypt to transition to ISRG root

Let's Encrypt have announced that on July 8th, 2019 they will begin issuing new certificates from their own intermediate CA and not their current cross-signed intermediate. Here's what that means and what action, if any, site operators need to take.

[...] Like all new CAs, Let's Encrypt began life with a cross-signature. Cross-signing is a trick that CAs can use to avoid the years long process of becoming a root CA. It genuinely does take many years to go through this process and Let's Encrypt wouldn't have been able to issue any certificates over the last 3+ years without a cross-sign.

[...] In short, Let's Encrypt currently issue from their cross-signed intermediate, which is issued to them by IdenTrust. IdenTrust have been a CA for many years and even old, legacy clients recognise them as a CA. When you get a certificate from Let's Encrypt right now it is issued by the cross-signed X3 intermediate which chains to the IdenTrust root. Now that Let's Encrypt's ISRG root is widely trusted, they can instead switch to issuing from their own X3 intermediate instead of the cross-signed one. This is a big step forwards for them and will likely not mean anything to the vast majority of their users. There are a few considerations though.

Useful links and information

Let's Encrypt transition announcement: https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html

Let's Encrypt ISRG root coverage: https://letsencrypt.org/2018/08/06/trusted-by-all-major-root-programs.html

The Best TLS Training in the World: https://www.feistyduck.com/training/the-best-ssl-and-tls-training-in-the-world

Original Submission

 
This discussion has been archived. No new comments can be posted.
Let's Encrypt to Transition to ISRG Root | Log In/Create an Account | Top | 10 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Tuesday April 23 2019, @07:18PM (2 children)

    by Anonymous Coward on Tuesday April 23 2019, @07:18PM (#834000)

    Hopefully you're only using LE for personal sites? 3 months and a cron job is good enough for that.

    I mean, if you're using LE for business, maybe you shouldn't. It costs money to make money. That's capitalism, folks.

  • (Score: 4, Informative) by The Shire on Tuesday April 23 2019, @08:28PM (1 child)

    by The Shire (5824) on Tuesday April 23 2019, @08:28PM (#834025)

    Have you looked at this sites cert?

    LE is an excellent cost effective business choice. If you think end users care if your domain name is in green lettering or if it's just the green padlock or that they even know what an ssl certificate is, you're sorely mistaken. The only thing a user cares about is if their browser barks at them that they're submitting info over an unencrypted connection or that the site certificate can't be verified. LE certs prevent both of those things from happening.

    Any business that doesn't look at LE first for general site encryption (ie: Home page, customer support, etc), then that's a business that's throwing money out the door for no good reason.

    • (Score: 0) by Anonymous Coward on Wednesday April 24 2019, @02:01AM

      by Anonymous Coward on Wednesday April 24 2019, @02:01AM (#834158)

      Also with Expect-CT, you can require conforming user agents to reject connections with an invalid SCT signature. Coupled with a report endpoint and a script to check for CT reports, you've got a pretty good solution for stopping phishing attempts on your domains along with TLS certificates for free.