/plushcap/analysis/cloudflare/upcoming-lets-encrypt-certificate-chain-change-and-impact-for-cloudflare-customers

Upcoming Let’s Encrypt certificate chain change and impact for Cloudflare customers

What's this blog post about?

Let's Encrypt, a public certificate authority (CA), has been using two distinct certificate chains since its launch. One chain is cross-signed with IdenTrust, a globally trusted CA, and the other is Let’s Encrypt’s own root CA, ISRG Root X1. On September 30, 2024, Let’s Encrypt’s certificate chain cross-signed with IdenTrust will expire. To prepare for this change, on May 15, 2024, Cloudflare will stop issuing certificates from the cross-signed chain and will instead use Let’s Encrypt’s ISRG Root X1 chain for all future Let’s Encrypt certificates. This change may impact legacy devices and systems that exclusively rely on the cross-signed chain and lack the ISRG X1 root in their trust store, potentially causing TLS errors or warnings when accessing domains secured by a Let’s Encrypt certificate. Cloudflare recommends updating the trust store to include the ISRG Root X1 for those concerned about the change impacting clients.

Company
Cloudflare

Date published
March 14, 2024

Author(s)
Dina Kozlov

Word count
871

Language
English

Hacker News points
20


By Matt Makai. 2021-2024.