![]() ![]() On Thursday, Feb 8th, 2024, we will stop providing the cross-sign by default in requests made to our /acme/certificate API endpoint. Finally, it will significantly reduce our operating costs, allowing us to focus our funding on continuing to improve your privacy and security.įor these reasons, we will not be getting a new cross-sign to extend compatibility any further. In addition, dropping the cross-sign will reduce the number of certificate bytes sent in a TLS handshake by over 40%. That percentage will increase further over the next year, especially as Android releases version 14, which has the ability to update its trust store without a full OS update. In the last three years, the percentage of Android devices which trust our ISRG Root X1 has risen from 66% to 93.9%. On September 30th, 2024, that cross-sign too will expire. This stopgap allowed those old Android devices to continue trusting our certificates for three more years. That breakage would have been too widespread, so we arranged for a new cross-sign – this time directly onto our root rather than our intermediates – which would outlive DST Root CA X3 itself. And while all up-to-date browsers at that time trusted our root, over a third of Android devices were still running old versions of the OS which would suddenly stop trusting websites using our certificates. During subsequent years, our Root X1 became widely trusted on its own.Ĭome late 2021, our cross-signed intermediates and DST Root CA X3 itself were expiring. ![]() This meant that all certificates issued by those intermediates would be trusted, even while our own ISRG Root X1 wasn’t yet. To that end, we arranged to have our intermediate certificates cross-signed by IdenTrust’s DST Root CA X3. When Let’s Encrypt first launched, we needed to ensure that our certificates were widely trusted. Shortening the Let's Encrypt Chain of Trust ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |