From 1c2bb00f95f663d137cf39649c6f06b32ca89141 Mon Sep 17 00:00:00 2001
From: Matthew McPherrin <git@mcpherrin.ca>
Date: Fri, 27 Mar 2026 13:21:21 -0400
Subject: [PATCH 1/3] Link YE/YR test sites from website

Switch X1 and X2 to new test site URLs, too.
---
 content/en/certificates.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/content/en/certificates.md b/content/en/certificates.md
index 810cec8d0..e862b333e 100644
--- a/content/en/certificates.md
+++ b/content/en/certificates.md
@@ -2,7 +2,7 @@
 title: Chains of Trust
 linkTitle: Chains of Trust (Root and Intermediate Certificates)
 slug: certificates
-lastmod: 2026-01-08
+lastmod: 2026-03-27
 show_lastmod: 1
 ---
 
@@ -24,7 +24,7 @@ Note that Root CAs don't have expiration dates in quite the same way that other
   * Certificate details (self-signed): [crt.sh](https://crt.sh/?id=9314791), [der](/certs/isrgrootx1.der), [pem](/certs/isrgrootx1.pem), [txt](/certs/isrgrootx1.txt)
   * Certificate details (cross-signed by DST Root CA X3): [crt.sh](https://crt.sh/?id=3958242236), [der](/certs/isrg-root-x1-cross-signed.der), [pem](/certs/isrg-root-x1-cross-signed.pem), [txt](/certs/isrg-root-x1-cross-signed.txt) (retired)
   * CRL hostname: `x1.c.lencr.org`
-  * Test websites: [valid](https://valid-isrgrootx1.letsencrypt.org/), [revoked](https://revoked-isrgrootx1.letsencrypt.org/), [expired](https://expired-isrgrootx1.letsencrypt.org/)
+  * Test websites: [valid](https://valid.x1.test-certs.letsencrypt.org), [revoked](https://revoked.x1.test-certs.letsencrypt.org), [expired](https://expired.x1.test-certs.letsencrypt.org)
 * **ISRG Root X2**
   * Subject: `O = Internet Security Research Group, CN = ISRG Root X2`
   * Key type: `ECDSA P-384`
@@ -34,7 +34,7 @@ Note that Root CAs don't have expiration dates in quite the same way that other
   * Certificate details (cross-signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=3334561878), [der](/certs/isrg-root-x2-cross-signed.der), [pem](/certs/isrg-root-x2-cross-signed.pem), [txt](/certs/isrg-root-x2-cross-signed.txt)
   * Certificate details (second cross-sign by ISRG Root X1): [crt.sh](https://crt.sh/?id=20878422868), [der](/certs/gen-y/root-x2-by-x1.der), [pem](/certs/gen-y/root-x2-by-x1.pem), [txt](/certs/gen-y/root-x2-by-x1.txt)
   * CRL hostname: `x2.c.lencr.org`
-  * Test websites: [valid](https://valid-isrgrootx2.letsencrypt.org/), [revoked](https://revoked-isrgrootx2.letsencrypt.org/), [expired](https://expired-isrgrootx2.letsencrypt.org/)
+  * Test websites: [valid](https://valid.x2.test-certs.letsencrypt.org), [revoked](https://revoked.x2.test-certs.letsencrypt.org), [expired](https://expired.x2.test-certs.letsencrypt.org)
 
 These roots are not yet included in Root Program Trust Stores, but will be submitted for inclusion soon:
 
@@ -46,7 +46,7 @@ These roots are not yet included in Root Program Trust Stores, but will be submi
   * Certificate details (self-signed): [der](/certs/gen-y/root-ye.der), [pem](/certs/gen-y/root-ye.pem), [txt](/certs/gen-y/root-ye.txt)
   * Certificate details (cross-signed by ISRG Root X2): [der](/certs/gen-y/root-ye-by-x2.der), [pem](/certs/gen-y/root-ye-by-x2.pem), [txt](/certs/gen-y/root-ye-by-x2.txt)
   * CRL hostname: `ye.c.lencr.org`
-  * Test websites: Forthcoming
+  * Test websites: [valid](https://valid.ye.test-certs.letsencrypt.org), [revoked](https://revoked.ye.test-certs.letsencrypt.org), [expired](https://expired.ye.test-certs.letsencrypt.org)
 * **ISRG Root YR**
   * Subject: `O = ISRG, CN = Root YR`
   * Key type: `RSA 4096`
@@ -55,7 +55,7 @@ These roots are not yet included in Root Program Trust Stores, but will be submi
   * Certificate details (self-signed): [der](/certs/gen-y/root-yr.der), [pem](/certs/gen-y/root-yr.pem), [txt](/certs/gen-y/root-yr.txt)
   * Certificate details (cross-signed by ISRG Root X1): [der](/certs/gen-y/root-yr-by-x1.der), [pem](/certs/gen-y/root-yr-by-x1.pem), [txt](/certs/gen-y/root-yr-by-x1.txt)
   * CRL hostname: `yr.c.lencr.org`
-  * Test websites: Forthcoming
+  * Test websites: [valid](https://valid.yr.test-certs.letsencrypt.org), [revoked](https://revoked.yr.test-certs.letsencrypt.org), [expired](https://expired.yr.test-certs.letsencrypt.org)
 
 For additional information on the compatibility of our root certificates with various devices and trust stores, see [Certificate Compatibility](/docs/cert-compat).
 

From 4fafbafd053216e00fda1fbaf9584f8a6a200975 Mon Sep 17 00:00:00 2001
From: Matthew McPherrin <git@mcpherrin.ca>
Date: Fri, 27 Mar 2026 13:34:44 -0400
Subject: [PATCH 2/3] Keep trailing slashes

---
 content/en/certificates.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/content/en/certificates.md b/content/en/certificates.md
index e862b333e..05f32ff7b 100644
--- a/content/en/certificates.md
+++ b/content/en/certificates.md
@@ -24,7 +24,7 @@ Note that Root CAs don't have expiration dates in quite the same way that other
   * Certificate details (self-signed): [crt.sh](https://crt.sh/?id=9314791), [der](/certs/isrgrootx1.der), [pem](/certs/isrgrootx1.pem), [txt](/certs/isrgrootx1.txt)
   * Certificate details (cross-signed by DST Root CA X3): [crt.sh](https://crt.sh/?id=3958242236), [der](/certs/isrg-root-x1-cross-signed.der), [pem](/certs/isrg-root-x1-cross-signed.pem), [txt](/certs/isrg-root-x1-cross-signed.txt) (retired)
   * CRL hostname: `x1.c.lencr.org`
-  * Test websites: [valid](https://valid.x1.test-certs.letsencrypt.org), [revoked](https://revoked.x1.test-certs.letsencrypt.org), [expired](https://expired.x1.test-certs.letsencrypt.org)
+  * Test websites: [valid](https://valid.x1.test-certs.letsencrypt.org/), [revoked](https://revoked.x1.test-certs.letsencrypt.org/), [expired](https://expired.x1.test-certs.letsencrypt.org/)
 * **ISRG Root X2**
   * Subject: `O = Internet Security Research Group, CN = ISRG Root X2`
   * Key type: `ECDSA P-384`
@@ -34,7 +34,7 @@ Note that Root CAs don't have expiration dates in quite the same way that other
   * Certificate details (cross-signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=3334561878), [der](/certs/isrg-root-x2-cross-signed.der), [pem](/certs/isrg-root-x2-cross-signed.pem), [txt](/certs/isrg-root-x2-cross-signed.txt)
   * Certificate details (second cross-sign by ISRG Root X1): [crt.sh](https://crt.sh/?id=20878422868), [der](/certs/gen-y/root-x2-by-x1.der), [pem](/certs/gen-y/root-x2-by-x1.pem), [txt](/certs/gen-y/root-x2-by-x1.txt)
   * CRL hostname: `x2.c.lencr.org`
-  * Test websites: [valid](https://valid.x2.test-certs.letsencrypt.org), [revoked](https://revoked.x2.test-certs.letsencrypt.org), [expired](https://expired.x2.test-certs.letsencrypt.org)
+  * Test websites: [valid](https://valid.x2.test-certs.letsencrypt.org/), [revoked](https://revoked.x2.test-certs.letsencrypt.org/), [expired](https://expired.x2.test-certs.letsencrypt.org/)
 
 These roots are not yet included in Root Program Trust Stores, but will be submitted for inclusion soon:
 
@@ -46,7 +46,7 @@ These roots are not yet included in Root Program Trust Stores, but will be submi
   * Certificate details (self-signed): [der](/certs/gen-y/root-ye.der), [pem](/certs/gen-y/root-ye.pem), [txt](/certs/gen-y/root-ye.txt)
   * Certificate details (cross-signed by ISRG Root X2): [der](/certs/gen-y/root-ye-by-x2.der), [pem](/certs/gen-y/root-ye-by-x2.pem), [txt](/certs/gen-y/root-ye-by-x2.txt)
   * CRL hostname: `ye.c.lencr.org`
-  * Test websites: [valid](https://valid.ye.test-certs.letsencrypt.org), [revoked](https://revoked.ye.test-certs.letsencrypt.org), [expired](https://expired.ye.test-certs.letsencrypt.org)
+  * Test websites: [valid](https://valid.ye.test-certs.letsencrypt.org/), [revoked](https://revoked.ye.test-certs.letsencrypt.org/), [expired](https://expired.ye.test-certs.letsencrypt.org/)
 * **ISRG Root YR**
   * Subject: `O = ISRG, CN = Root YR`
   * Key type: `RSA 4096`
@@ -55,7 +55,7 @@ These roots are not yet included in Root Program Trust Stores, but will be submi
   * Certificate details (self-signed): [der](/certs/gen-y/root-yr.der), [pem](/certs/gen-y/root-yr.pem), [txt](/certs/gen-y/root-yr.txt)
   * Certificate details (cross-signed by ISRG Root X1): [der](/certs/gen-y/root-yr-by-x1.der), [pem](/certs/gen-y/root-yr-by-x1.pem), [txt](/certs/gen-y/root-yr-by-x1.txt)
   * CRL hostname: `yr.c.lencr.org`
-  * Test websites: [valid](https://valid.yr.test-certs.letsencrypt.org), [revoked](https://revoked.yr.test-certs.letsencrypt.org), [expired](https://expired.yr.test-certs.letsencrypt.org)
+  * Test websites: [valid](https://valid.yr.test-certs.letsencrypt.org/), [revoked](https://revoked.yr.test-certs.letsencrypt.org/), [expired](https://expired.yr.test-certs.letsencrypt.org/)
 
 For additional information on the compatibility of our root certificates with various devices and trust stores, see [Certificate Compatibility](/docs/cert-compat).
 

From 6031b3b1fb00d437580c324e8d27e5889318cf0d Mon Sep 17 00:00:00 2001
From: Matthew McPherrin <git@mcpherrin.ca>
Date: Fri, 27 Mar 2026 13:37:30 -0400
Subject: [PATCH 3/3] Also update link in old blog post

---
 content/en/post/2019-4-15-transitioning-to-isrg-root.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/post/2019-4-15-transitioning-to-isrg-root.md b/content/en/post/2019-4-15-transitioning-to-isrg-root.md
index 61fbe4ff6..f37f0a768 100644
--- a/content/en/post/2019-4-15-transitioning-to-isrg-root.md
+++ b/content/en/post/2019-4-15-transitioning-to-isrg-root.md
@@ -20,7 +20,7 @@ Since Let’s Encrypt launched, our certificates have been trusted by browsers v
 
 Now that our own root, [ISRG Root X1](https://letsencrypt.org/certificates/), is [widely trusted by browsers](https://letsencrypt.org/2018/08/06/trusted-by-all-major-root-programs.html) we’d like to transition our subscribers to using our root directly, without a cross-sign.
 
-On **January 11, 2021**, Let’s Encrypt will start serving a certificate chain via the ACME protocol which leads directly to our root, with no cross-signature. Most subscribers don’t need to take any action because their ACME client will handle everything automatically. Subscribers who need to support very old TLS/SSL clients may wish to manually configure their servers to continue using the cross-signature from IdenTrust. You can test whether a given client will work with the newer intermediate by accessing our [test site](https://valid-isrgrootx1.letsencrypt.org/).
+On **January 11, 2021**, Let’s Encrypt will start serving a certificate chain via the ACME protocol which leads directly to our root, with no cross-signature. Most subscribers don’t need to take any action because their ACME client will handle everything automatically. Subscribers who need to support very old TLS/SSL clients may wish to manually configure their servers to continue using the cross-signature from IdenTrust. You can test whether a given client will work with the newer intermediate by accessing our [test site](https://valid.x1.test-certs.letsencrypt.org/).
 
 Our current cross-signature from IdenTrust expires on March 17, 2021. The IdenTrust root that we are cross-signed from expires on September 30, 2021. Within the next year we will obtain a new cross-signature that is valid until September 29, 2021. This means that our subscribers will have the option to manually configure a certificate chain that uses IdenTrust until **September 29, 2021**.