diff --git a/content/en/certificates.md b/content/en/certificates.md index 810cec8d0..05f32ff7b 100644 --- a/content/en/certificates.md +++ b/content/en/certificates.md @@ -2,7 +2,7 @@ title: Chains of Trust linkTitle: Chains of Trust (Root and Intermediate Certificates) slug: certificates -lastmod: 2026-01-08 +lastmod: 2026-03-27 show_lastmod: 1 --- @@ -24,7 +24,7 @@ Note that Root CAs don't have expiration dates in quite the same way that other * Certificate details (self-signed): [crt.sh](https://crt.sh/?id=9314791), [der](/certs/isrgrootx1.der), [pem](/certs/isrgrootx1.pem), [txt](/certs/isrgrootx1.txt) * Certificate details (cross-signed by DST Root CA X3): [crt.sh](https://crt.sh/?id=3958242236), [der](/certs/isrg-root-x1-cross-signed.der), [pem](/certs/isrg-root-x1-cross-signed.pem), [txt](/certs/isrg-root-x1-cross-signed.txt) (retired) * CRL hostname: `x1.c.lencr.org` - * Test websites: [valid](https://valid-isrgrootx1.letsencrypt.org/), [revoked](https://revoked-isrgrootx1.letsencrypt.org/), [expired](https://expired-isrgrootx1.letsencrypt.org/) + * Test websites: [valid](https://valid.x1.test-certs.letsencrypt.org/), [revoked](https://revoked.x1.test-certs.letsencrypt.org/), [expired](https://expired.x1.test-certs.letsencrypt.org/) * **ISRG Root X2** * Subject: `O = Internet Security Research Group, CN = ISRG Root X2` * Key type: `ECDSA P-384` @@ -34,7 +34,7 @@ Note that Root CAs don't have expiration dates in quite the same way that other * Certificate details (cross-signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=3334561878), [der](/certs/isrg-root-x2-cross-signed.der), [pem](/certs/isrg-root-x2-cross-signed.pem), [txt](/certs/isrg-root-x2-cross-signed.txt) * Certificate details (second cross-sign by ISRG Root X1): [crt.sh](https://crt.sh/?id=20878422868), [der](/certs/gen-y/root-x2-by-x1.der), [pem](/certs/gen-y/root-x2-by-x1.pem), [txt](/certs/gen-y/root-x2-by-x1.txt) * CRL hostname: `x2.c.lencr.org` - * Test websites: [valid](https://valid-isrgrootx2.letsencrypt.org/), [revoked](https://revoked-isrgrootx2.letsencrypt.org/), [expired](https://expired-isrgrootx2.letsencrypt.org/) + * Test websites: [valid](https://valid.x2.test-certs.letsencrypt.org/), [revoked](https://revoked.x2.test-certs.letsencrypt.org/), [expired](https://expired.x2.test-certs.letsencrypt.org/) These roots are not yet included in Root Program Trust Stores, but will be submitted for inclusion soon: @@ -46,7 +46,7 @@ These roots are not yet included in Root Program Trust Stores, but will be submi * Certificate details (self-signed): [der](/certs/gen-y/root-ye.der), [pem](/certs/gen-y/root-ye.pem), [txt](/certs/gen-y/root-ye.txt) * Certificate details (cross-signed by ISRG Root X2): [der](/certs/gen-y/root-ye-by-x2.der), [pem](/certs/gen-y/root-ye-by-x2.pem), [txt](/certs/gen-y/root-ye-by-x2.txt) * CRL hostname: `ye.c.lencr.org` - * Test websites: Forthcoming + * Test websites: [valid](https://valid.ye.test-certs.letsencrypt.org/), [revoked](https://revoked.ye.test-certs.letsencrypt.org/), [expired](https://expired.ye.test-certs.letsencrypt.org/) * **ISRG Root YR** * Subject: `O = ISRG, CN = Root YR` * Key type: `RSA 4096` @@ -55,7 +55,7 @@ These roots are not yet included in Root Program Trust Stores, but will be submi * Certificate details (self-signed): [der](/certs/gen-y/root-yr.der), [pem](/certs/gen-y/root-yr.pem), [txt](/certs/gen-y/root-yr.txt) * Certificate details (cross-signed by ISRG Root X1): [der](/certs/gen-y/root-yr-by-x1.der), [pem](/certs/gen-y/root-yr-by-x1.pem), [txt](/certs/gen-y/root-yr-by-x1.txt) * CRL hostname: `yr.c.lencr.org` - * Test websites: Forthcoming + * Test websites: [valid](https://valid.yr.test-certs.letsencrypt.org/), [revoked](https://revoked.yr.test-certs.letsencrypt.org/), [expired](https://expired.yr.test-certs.letsencrypt.org/) For additional information on the compatibility of our root certificates with various devices and trust stores, see [Certificate Compatibility](/docs/cert-compat). diff --git a/content/en/post/2019-4-15-transitioning-to-isrg-root.md b/content/en/post/2019-4-15-transitioning-to-isrg-root.md index 61fbe4ff6..f37f0a768 100644 --- a/content/en/post/2019-4-15-transitioning-to-isrg-root.md +++ b/content/en/post/2019-4-15-transitioning-to-isrg-root.md @@ -20,7 +20,7 @@ Since Let’s Encrypt launched, our certificates have been trusted by browsers v Now that our own root, [ISRG Root X1](https://letsencrypt.org/certificates/), is [widely trusted by browsers](https://letsencrypt.org/2018/08/06/trusted-by-all-major-root-programs.html) we’d like to transition our subscribers to using our root directly, without a cross-sign. -On **January 11, 2021**, Let’s Encrypt will start serving a certificate chain via the ACME protocol which leads directly to our root, with no cross-signature. Most subscribers don’t need to take any action because their ACME client will handle everything automatically. Subscribers who need to support very old TLS/SSL clients may wish to manually configure their servers to continue using the cross-signature from IdenTrust. You can test whether a given client will work with the newer intermediate by accessing our [test site](https://valid-isrgrootx1.letsencrypt.org/). +On **January 11, 2021**, Let’s Encrypt will start serving a certificate chain via the ACME protocol which leads directly to our root, with no cross-signature. Most subscribers don’t need to take any action because their ACME client will handle everything automatically. Subscribers who need to support very old TLS/SSL clients may wish to manually configure their servers to continue using the cross-signature from IdenTrust. You can test whether a given client will work with the newer intermediate by accessing our [test site](https://valid.x1.test-certs.letsencrypt.org/). Our current cross-signature from IdenTrust expires on March 17, 2021. The IdenTrust root that we are cross-signed from expires on September 30, 2021. Within the next year we will obtain a new cross-signature that is valid until September 29, 2021. This means that our subscribers will have the option to manually configure a certificate chain that uses IdenTrust until **September 29, 2021**.