Let's Encrypt Dropping Cross-Signed Root and Intermediates; Issuing New Intermediates; New Cert Chains

Let's Encrypt Dropping Cross-Signed Root and Intermediates; Issuing New Intermediates; New Cert Chains

[Brian Inglis]

Hi folks,

https://letsencrypt.org/2023/07/10/cross-sign-expiration
Shortening the Let's Encrypt Chain of Trust
"On Thursday, Feb 8th, 2024, we stopped providing the cross-sign by default in 
requests made to our /acme/certificate API endpoint.
On Thursday, June 6th, 2024, we will stop providing the longer cross-signed 
chain entirely.
On Monday, September 30th, 2024, the cross-signed certificate will expire."

https://letsencrypt.org/2024/03/19/new-intermediate-certificates
New Intermediate Certificates
"Let’s Encrypt generated 10 new Intermediate CA Key Pairs, and issued 15 new 
Intermediate CA Certificates containing the new public keys."

https://letsencrypt.org/2024/04/12/changes-to-issuance-chains
Deploying Let's Encrypt's New Issuance Chains
"On Thursday, June 6th, 2024, we will be switching issuance to use our new 
intermediate certificates. Simultaneously, we are removing the DST Root CA X3 
cross-sign from our API, aligning with our strategy to shorten the Let’s Encrypt 
chain of trust. We will begin issuing ECDSA end-entity certificates from a 
default chain that just contains a single ECDSA intermediate, removing a second 
intermediate and the option to issue an ECDSA end-entity certificate from an RSA 
intermediate."

-- 
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer     but when there is no more to cut
                                 -- Antoine de Saint-Exupéry

Re: Let's Encrypt Dropping Cross-Signed Root and Intermediates; Issuing New Intermediates; New Cert Chains

[Jon Turney]

On 17/04/2024 04:48, Brian Inglis via Cygwin-apps wrote:
> Hi folks,

Is this FYI, or are you suggesting there is some specific action we need 
to take?

> https://letsencrypt.org/2023/07/10/cross-sign-expiration
> Shortening the Let's Encrypt Chain of Trust
> "On Thursday, Feb 8th, 2024, we stopped providing the cross-sign by 
> default in requests made to our /acme/certificate API endpoint.
> On Thursday, June 6th, 2024, we will stop providing the longer 
> cross-signed chain entirely.
> On Monday, September 30th, 2024, the cross-signed certificate will expire."
> 
> https://letsencrypt.org/2024/03/19/new-intermediate-certificates
> New Intermediate Certificates
> "Let’s Encrypt generated 10 new Intermediate CA Key Pairs, and issued 15 
> new Intermediate CA Certificates containing the new public keys."
> 
> https://letsencrypt.org/2024/04/12/changes-to-issuance-chains
> Deploying Let's Encrypt's New Issuance Chains
> "On Thursday, June 6th, 2024, we will be switching issuance to use our 
> new intermediate certificates. Simultaneously, we are removing the DST 
> Root CA X3 cross-sign from our API, aligning with our strategy to 
> shorten the Let’s Encrypt chain of trust. We will begin issuing ECDSA 
> end-entity certificates from a default chain that just contains a single 
> ECDSA intermediate, removing a second intermediate and the option to 
> issue an ECDSA end-entity certificate from an RSA intermediate."

Re: Let's Encrypt Dropping Cross-Signed Root and Intermediates; Issuing New Intermediates; New Cert Chains

[Brian Inglis]

Unsure of impact and action required was why I posted - Cygwin, Sourceware, GNU, 
Kernel.org, etc. use LE certs.

Looks like new root and/or intermediate certs are available to be packaged 
before they will be used 2024 June 6 and old cross-signed root if included may 
be removed before 2024 Sep 30.

Seems that outdated Android versions will no longer work as before on LE 
certified sites, but probably others have also changed by now.

On 2024-04-19 06:48, Jon Turney via Cygwin-apps wrote:
> On 17/04/2024 04:48, Brian Inglis via Cygwin-apps wrote:
> Is this FYI, or are you suggesting there is some specific action we need to take?
> 
>> https://letsencrypt.org/2023/07/10/cross-sign-expiration
>> Shortening the Let's Encrypt Chain of Trust
>> "On Thursday, Feb 8th, 2024, we stopped providing the cross-sign by default in 
>> requests made to our /acme/certificate API endpoint.
>> On Thursday, June 6th, 2024, we will stop providing the longer cross-signed 
>> chain entirely.
>> On Monday, September 30th, 2024, the cross-signed certificate will expire."
>>
>> https://letsencrypt.org/2024/03/19/new-intermediate-certificates
>> New Intermediate Certificates
>> "Let’s Encrypt generated 10 new Intermediate CA Key Pairs, and issued 15 new 
>> Intermediate CA Certificates containing the new public keys."
>>
>> https://letsencrypt.org/2024/04/12/changes-to-issuance-chains
>> Deploying Let's Encrypt's New Issuance Chains
>> "On Thursday, June 6th, 2024, we will be switching issuance to use our new 
>> intermediate certificates. Simultaneously, we are removing the DST Root CA X3 
>> cross-sign from our API, aligning with our strategy to shorten the Let’s 
>> Encrypt chain of trust. We will begin issuing ECDSA end-entity certificates 
>> from a default chain that just contains a single ECDSA intermediate, removing 
>> a second intermediate and the option to issue an ECDSA end-entity certificate 
>> from an RSA intermediate."

-- 
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer     but when there is no more to cut
                                 -- Antoine de Saint-Exupéry