From: Brian Inglis <Brian.Inglis@SystematicSw.ab.ca>
To: cygwin-apps@cygwin.com
Subject: Re: Let's Encrypt Dropping Cross-Signed Root and Intermediates; Issuing New Intermediates; New Cert Chains
Date: Fri, 19 Apr 2024 07:13:35 -0600 [thread overview]
Message-ID: <abbdc65c-953f-4804-aa93-cc4fca2d16ee@SystematicSw.ab.ca> (raw)
In-Reply-To: <67488e2d-c183-4a3c-9248-7e907ae42c5f@dronecode.org.uk>
Unsure of impact and action required was why I posted - Cygwin, Sourceware, GNU,
Kernel.org, etc. use LE certs.
Looks like new root and/or intermediate certs are available to be packaged
before they will be used 2024 June 6 and old cross-signed root if included may
be removed before 2024 Sep 30.
Seems that outdated Android versions will no longer work as before on LE
certified sites, but probably others have also changed by now.
On 2024-04-19 06:48, Jon Turney via Cygwin-apps wrote:
> On 17/04/2024 04:48, Brian Inglis via Cygwin-apps wrote:
> Is this FYI, or are you suggesting there is some specific action we need to take?
>
>> https://letsencrypt.org/2023/07/10/cross-sign-expiration
>> Shortening the Let's Encrypt Chain of Trust
>> "On Thursday, Feb 8th, 2024, we stopped providing the cross-sign by default in
>> requests made to our /acme/certificate API endpoint.
>> On Thursday, June 6th, 2024, we will stop providing the longer cross-signed
>> chain entirely.
>> On Monday, September 30th, 2024, the cross-signed certificate will expire."
>>
>> https://letsencrypt.org/2024/03/19/new-intermediate-certificates
>> New Intermediate Certificates
>> "Let’s Encrypt generated 10 new Intermediate CA Key Pairs, and issued 15 new
>> Intermediate CA Certificates containing the new public keys."
>>
>> https://letsencrypt.org/2024/04/12/changes-to-issuance-chains
>> Deploying Let's Encrypt's New Issuance Chains
>> "On Thursday, June 6th, 2024, we will be switching issuance to use our new
>> intermediate certificates. Simultaneously, we are removing the DST Root CA X3
>> cross-sign from our API, aligning with our strategy to shorten the Let’s
>> Encrypt chain of trust. We will begin issuing ECDSA end-entity certificates
>> from a default chain that just contains a single ECDSA intermediate, removing
>> a second intermediate and the option to issue an ECDSA end-entity certificate
>> from an RSA intermediate."
--
Take care. Thanks, Brian Inglis Calgary, Alberta, Canada
La perfection est atteinte Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut
-- Antoine de Saint-Exupéry
prev parent reply other threads:[~2024-04-19 13:13 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-17 3:48 Brian Inglis
2024-04-19 12:48 ` Jon Turney
2024-04-19 13:13 ` Brian Inglis [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=abbdc65c-953f-4804-aa93-cc4fca2d16ee@SystematicSw.ab.ca \
--to=brian.inglis@systematicsw.ab.ca \
--cc=cygwin-apps@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).