Let's Encrypt, the renowned certificate authority, is undergoing a significant transition in its certificate chain structure. This change, set to take effect after May 15th, 2024, will have implications for device compatibility, particularly for older systems. This change marks an evolution in Let's Encrypt's approach to trust and security.
Initially, Let's Encrypt employed a cross-signed certificate chain, leveraging IdenTrust’s DST Root CA X3 to ensure widespread trust for its certificates. Over time, Let's Encrypt's own ISRG Root X1 gained extensive trust, leading to the need for a shift in their certificate issuance strategy.
The impending change arises from the expiration of the cross-signed chain on September 30th, 2024. This expiration necessitates adjustments in how certificates are issued and validated, impacting various services like Cloudflare, which relies on Let's Encrypt for certificate provisioning.
The impact of this transition primarily affects devices running older operating systems, notably Android versions 7.0 and earlier. Systems reliant solely on the cross-signed chain without the ISRG Root X1 chain in their trust store may experience certificate validation failures post-transition. Such failures could manifest as warning messages or access issues for users accessing websites secured by Let's Encrypt certificates.
Cloudflare has outlined vital steps and dates for its users to mitigate potential disruptions. After May 15th, 2024, Cloudflare will cease issuing certificates from the cross-signed CA chain and switch to the ISRG Root X1 chain for new certificates. Existing certificates issued before this date will remain valid with the cross-signed chain until renewal.
Additionally, Cloudflare emphasizes that this change impacts RSA certificates exclusively and does not affect ECDSA certificates issued through Let's Encrypt, which will maintain their current compatibility level.
Proactive measures are recommended for organizations and site operators. These include considering alternative certificate authorities for legacy device compatibility, monitoring support channels for certificate-related inquiries, and updating trust stores to include the ISRG Root X1 chain.
In our blog, we post technology-related articles weekly. Follow us on Facebook and Instagram to get notifications about updates.