diff --git a/content/en/certificates.md b/content/en/certificates.md index 03d60c15e..99b56fa3a 100644 --- a/content/en/certificates.md +++ b/content/en/certificates.md @@ -8,16 +8,16 @@ show_lastmod: 1 This page describes all of the current and relevant historical Certification Authorities operated by Let's Encrypt. Note that a CA is most correctly thought of as a key and a name: any given CA may be represented by _multiple_ certificates which all contain the same Subject and Public Key Information. In such cases, we have provided the details of all certificates which represent the CA. If you're looking for the Trust Anchor IDs associated with these CAs, see our page on [Object Identifiers](/docs/oids). -[![ISRG Certificate Hierarchy Diagram, as of January 2026](/images/isrg-hierarchy.png)](/images/isrg-hierarchy-full.png) +[![ISRG Certificate Hierarchy Diagram, as of July 2026](/images/isrg-hierarchy.png)](/images/isrg-hierarchy-full.png) # Root CAs -Our root key material is kept safely offline. We issue end-entity certificates to subscribers from the intermediates described in the next section. All root certificate Subjects have a Country field of `C = US`. +Our root key material is kept safely offline. We issue end-entity certificates to subscribers from the intermediates described in the next section. Note that Root CAs don't have expiration dates in quite the same way that other certificates do. Although their self-signed certificates do contain a `notAfter` date, Root Programs and Trust Stores may decide to trust a Root CA beyond that date, or terminate trust in it before that date. As such, the end-of-validity dates given below are approximate, based on current Root Program policies. * **ISRG Root X1** - * Subject: `O = Internet Security Research Group, CN = ISRG Root X1` + * Subject: `C=US, O=Internet Security Research Group, CN=ISRG Root X1` * Key type: `RSA 4096` * Trusted until: 2030-06-04 (generated 2015-06-04) * CA details: [crt.sh](https://crt.sh/?caid=7394), [issued certs](https://crt.sh/?Identity=%25&iCAID=7394) @@ -26,7 +26,7 @@ Note that Root CAs don't have expiration dates in quite the same way that other * CRL hostname: `x1.c.lencr.org` * Test websites: [valid](https://valid.x1.test-certs.letsencrypt.org/), [revoked](https://revoked.x1.test-certs.letsencrypt.org/), [expired](https://expired.x1.test-certs.letsencrypt.org/) * **ISRG Root X2** - * Subject: `O = Internet Security Research Group, CN = ISRG Root X2` + * Subject: `C=US, O=Internet Security Research Group, CN=ISRG Root X2` * Key type: `ECDSA P-384` * Trusted until: 2035-09-04 (generated 2020-09-04) * CA details: [crt.sh](https://crt.sh/?caid=183269), [issued certs](https://crt.sh/?Identity=%25&iCAID=183269) @@ -38,7 +38,7 @@ Note that Root CAs don't have expiration dates in quite the same way that other These roots are not yet included in Root Program Trust Stores, but will be submitted for inclusion soon: * **ISRG Root YE** - * Subject: `O = ISRG, CN = Root YE` + * Subject: `C=US, O=ISRG, CN=Root YE` * Key type: `ECDSA P-384` * Trusted until: N/A (generated 2025-09-03) * CA details: [crt.sh](https://crt.sh/?caid=430535), [issued certs](https://crt.sh/?Identity=%25&iCAID=430535) @@ -47,7 +47,7 @@ These roots are not yet included in Root Program Trust Stores, but will be submi * CRL hostname: `ye.c.lencr.org` * Test websites: [valid](https://valid.ye.test-certs.letsencrypt.org/), [revoked](https://revoked.ye.test-certs.letsencrypt.org/), [expired](https://expired.ye.test-certs.letsencrypt.org/) * **ISRG Root YR** - * Subject: `O = ISRG, CN = Root YR` + * Subject: `C=US, O=ISRG, CN=Root YR` * Key type: `RSA 4096` * Trusted until: N/A (generated 2025-09-03) * CA details: [crt.sh](https://crt.sh/?caid=430543), [issued certs](https://crt.sh/?Identity=%25&iCAID=430543) @@ -60,52 +60,10 @@ For additional information on the compatibility of our root certificates with va # Subordinate (Intermediate) CAs -We currently maintain eight intermediates in active rotation. Subscriber certificates containing an ECDSA public key will be issued from one of the ECDSA intermediates; similarly, Subscriber certificates containing an RSA public key will be issued from one of the RSA intermediates. Subscriber certificates issued under the "tlsclient" [profile](/docs/profiles) will be issued from one of the first four intermediates listed (E7 through R13); conversely, Subscriber certificates issued under the "classic", "tlsserver", and "shortlived" profiles will be issued from one of the latter four intermediates (YE1 through YR2). +We currently maintain four intermediates in active rotation. Subscriber certificates containing an ECDSA public key will be issued from one of the ECDSA intermediates; similarly, Subscriber certificates containing an RSA public key will be issued from one of the RSA intermediates. -All intermediate certificate Subjects have a Country field of `C = US`. - -* **Let's Encrypt E7** - * Subject: `O = Let's Encrypt, CN = E7` - * Key type: `ECDSA P-384` - * Valid until: 2027-03-12 - * CA details: [crt.sh](https://crt.sh/?caid=295813), [issued certs](https://crt.sh/?Identity=%25&iCAID=295813) - * Certificate details (signed by ISRG Root X2): [crt.sh](https://crt.sh/?id=12396132900), [der](/certs/2024/e7.der), [pem](/certs/2024/e7.pem), [txt](/certs/2024/e7.txt) - * Certificate details (cross-signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=12396132895), [der](/certs/2024/e7-cross.der), [pem](/certs/2024/e7-cross.pem), [txt](/certs/2024/e7-cross.txt) - * CRL hostname: `e7.c.lencr.org` - * Chains: - * EE ← E7 ← ISRG Root X1 (Default) - * EE ← E7 ← ISRG Root X2 -* **Let's Encrypt E8** - * Subject: `O = Let's Encrypt, CN = E8` - * Key type: `ECDSA P-384` - * Valid until: 2027-03-12 - * CA details: [crt.sh](https://crt.sh/?caid=295809), [issued certs](https://crt.sh/?Identity=%25&iCAID=295809) - * Certificate details (signed by ISRG Root X2): [crt.sh](https://crt.sh/?id=12396132890), [der](/certs/2024/e8.der), [pem](/certs/2024/e8.pem), [txt](/certs/2024/e8.txt) - * Certificate details (cross-signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=12396132901), [der](/certs/2024/e8-cross.der), [pem](/certs/2024/e8-cross.pem), [txt](/certs/2024/e8-cross.txt) - * CRL hostname: `e8.c.lencr.org` - * Chains: - * EE ← E8 ← ISRG Root X1 (Default) - * EE ← E8 ← ISRG Root X2 -* **Let's Encrypt R12** - * Subject: `O = Let's Encrypt, CN = R12` - * Key type: `RSA 2048` - * Valid until: 2027-03-12 - * CA details: [crt.sh](https://crt.sh/?caid=295816), [issued certs](https://crt.sh/?Identity=%25&iCAID=295816) - * Certificate details (signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=12396132898), [der](/certs/2024/r12.der), [pem](/certs/2024/r12.pem), [txt](/certs/2024/r12.txt) - * CRL hostname: `r12.c.lencr.org` - * Chains: - * EE ← R12 ← ISRG Root X1 (Default) -* **Let's Encrypt R13** - * Subject: `O = Let's Encrypt, CN = R13` - * Key type: `RSA 2048` - * Valid until: 2027-03-12 - * CA details: [crt.sh](https://crt.sh/?caid=295817), [issued certs](https://crt.sh/?Identity=%25&iCAID=295817) - * Certificate details (signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=12396132902), [der](/certs/2024/r13.der), [pem](/certs/2024/r13.pem), [txt](/certs/2024/r13.txt) - * CRL hostname: `r13.c.lencr.org` - * Chains: - * EE ← R13 ← ISRG Root X1 (Default) * **Let's Encrypt YE1** - * Subject: `O = Let's Encrypt, CN = YE1` + * Subject: `C=US, O=Let's Encrypt, CN=YE1` * Key type: `ECDSA P-384` * Valid until: 2028-09-02 * CA details: [crt.sh](https://crt.sh/?caid=432952), [issued certs](https://crt.sh/?Identity=%25&iCAID=432952) @@ -116,7 +74,7 @@ All intermediate certificate Subjects have a Country field of `C = US`. * EE ← YE1 ← Root YE ← ISRG Root X2 * EE ← YE1 ← Root YE * **Let's Encrypt YE2** - * Subject: `O = Let's Encrypt, CN = YE2` + * Subject: `C=US, O=Let's Encrypt, CN=YE2` * Key type: `ECDSA P-384` * Valid until: 2028-09-02 * CA details: [crt.sh](https://crt.sh/?caid=431054), [issued certs](https://crt.sh/?Identity=%25&iCAID=431054) @@ -127,7 +85,7 @@ All intermediate certificate Subjects have a Country field of `C = US`. * EE ← YE2 ← Root YE ← ISRG Root X2 * EE ← YE2 ← Root YE * **Let's Encrypt YR1** - * Subject: `O = Let's Encrypt, CN = YR1` + * Subject: `C=US, O=Let's Encrypt, CN=YR1` * Key type: `RSA 2048` * Valid until: 2028-09-02 * CA details: [crt.sh](https://crt.sh/?caid=432476), [issued certs](https://crt.sh/?Identity=%25&iCAID=432476) @@ -137,7 +95,7 @@ All intermediate certificate Subjects have a Country field of `C = US`. * EE ← YR1 ← Root YR ← ISRG Root X1 (Default) * EE ← YR1 ← Root YR * **Let's Encrypt YR2** - * Subject: `O = Let's Encrypt, CN = YR2` + * Subject: `C=US, O=Let's Encrypt, CN=YR2` * Key type: `RSA 2048` * Valid until: 2028-09-02 * CA details: [crt.sh](https://crt.sh/?caid=432477), [issued certs](https://crt.sh/?Identity=%25&iCAID=432477) @@ -154,30 +112,15 @@ Click below for details on additional intermediates which are not part of the ac These intermediate CAs have currently-valid certificates, but are not being issued from. We may begin issuing Subscriber certificates from them at any time, without warning. -* **Let's Encrypt E9** - * Subject: `O = Let's Encrypt, CN = E9` - * Key type: `ECDSA P-384` - * Valid until: 2027-03-12 - * CA details: [crt.sh](https://crt.sh/?caid=295812), [issued certs](https://crt.sh/?Identity=%25&iCAID=295812) - * Certificate details (signed by ISRG Root X2): [crt.sh](https://crt.sh/?id=12396132894), [der](/certs/2024/e9.der), [pem](/certs/2024/e9.pem), [txt](/certs/2024/e9.txt) - * Certificate details (cross-signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=12396132894), [der](/certs/2024/e9-cross.der), [pem](/certs/2024/e9-cross.pem), [txt](/certs/2024/e9-cross.txt) - * CRL hostname: `e9.c.lencr.org` -* **Let's Encrypt R14** - * Subject: `O = Let's Encrypt, CN = R14` - * Key type: `RSA 2048` - * Valid until: 2027-03-12 - * CA details: [crt.sh](https://crt.sh/?caid=295818), [issued certs](https://crt.sh/?Identity=%25&iCAID=295818) - * Certificate details (signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=12396132903), [der](/certs/2024/r14.der), [pem](/certs/2024/r14.pem), [txt](/certs/2024/r14.txt) - * CRL hostname: `r14.c.lencr.org` * **Let's Encrypt YE3** - * Subject: `O = Let's Encrypt, CN = YE3` + * Subject: `C=US, O=Let's Encrypt, CN=YE3` * Key type: `ECDSA P-384` * Valid until: 2028-09-02 * CA details: [crt.sh](https://crt.sh/?caid=432914), [issued certs](https://crt.sh/?Identity=%25&iCAID=432914) * Certificate details: [der](/certs/gen-y/int-ye3.der), [pem](/certs/gen-y/int-ye3.pem), [txt](/certs/gen-y/int-ye3.txt) * CRL hostname: `ye3.c.lencr.org` * **Let's Encrypt YR3** - * Subject: `O = Let's Encrypt, CN = YR3` + * Subject: `C=US, O=Let's Encrypt, CN=YR3` * Key type: `RSA 2048` * Valid until: 2028-09-02 * CA details: [crt.sh](https://crt.sh/?caid=432480), [issued certs](https://crt.sh/?Identity=%25&iCAID=432480) @@ -189,24 +132,10 @@ These intermediate CAs have currently-valid certificates, but are not being issu
Retired -These intermediate CAs are no longer being used to issue Subscriber certificates. Those which still have valid certificates may be producing CRLs. +These intermediate CAs are no longer being used to issue Subscriber certificates. Those which issued any certificates will continue producing CRLs until they expire. -* **Let's Encrypt E1** - * Subject: `O = Let's Encrypt, CN = E1` - * Key type: `ECDSA P-384` - * Valid until: 2025-09-15 (expired) - * CA details: [crt.sh](https://crt.sh/?caid=183283), [issued certs](https://crt.sh/?Identity=%25&iCAID=183283) - * Certificate details (signed by ISRG Root X2): [crt.sh](https://crt.sh/?id=3334671964), [der](/certs/lets-encrypt-e1.der), [pem](/certs/lets-encrypt-e1.pem), [txt](/certs/lets-encrypt-e1.txt) - * CRL hostname: `e1.c.lencr.org` -* **Let's Encrypt E2** - * Subject: `O = Let's Encrypt, CN = E2` - * Key type: `ECDSA P-384` - * Valid until: 2025-09-15 (expired) - * CA details: [crt.sh](https://crt.sh/?caid=183284), [issued certs](https://crt.sh/?Identity=%25&iCAID=183284) - * Certificate details (signed by ISRG Root X2): [crt.sh](https://crt.sh/?id=3334671963), [der](/certs/lets-encrypt-e2.der), [pem](/certs/lets-encrypt-e2.pem), [txt](/certs/lets-encrypt-e2.txt) - * CRL hostname: `e2.c.lencr.org` * **Let's Encrypt E5** - * Subject: `O = Let's Encrypt, CN = E5` + * Subject: `C=US, O=Let's Encrypt, CN=E5` * Key type: `ECDSA P-384` * Valid until: 2027-03-12 * CA details: [crt.sh](https://crt.sh/?caid=295810), [issued certs](https://crt.sh/?Identity=%25&iCAID=295810) @@ -214,71 +143,138 @@ These intermediate CAs are no longer being used to issue Subscriber certificates * Certificate details (cross-signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=12396132892), [der](/certs/2024/e5-cross.der), [pem](/certs/2024/e5-cross.pem), [txt](/certs/2024/e5-cross.txt) * CRL hostname: `e5.c.lencr.org` * **Let's Encrypt E6** - * Subject: `O = Let's Encrypt, CN = E6` + * Subject: `C=US, O=Let's Encrypt, CN=E6` * Key type: `ECDSA P-384` * Valid until: 2027-03-12 * CA details: [crt.sh](https://crt.sh/?caid=295819), [issued certs](https://crt.sh/?Identity=%25&iCAID=295819) * Certificate details (signed by ISRG Root X2): [crt.sh](https://crt.sh/?id=12396132905), [der](/certs/2024/e6.der), [pem](/certs/2024/e6.pem), [txt](/certs/2024/e6.txt) * Certificate details (cross-signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=12396132904), [der](/certs/2024/e6-cross.der), [pem](/certs/2024/e6-cross.pem), [txt](/certs/2024/e6-cross.txt) * CRL hostname: `e6.c.lencr.org` -* **Let's Encrypt R3** - * Subject: `O = Let's Encrypt, CN = R3` - * Key type: `RSA 2048` - * Valid until: 2025-09-15 (expired) - * CA details: [crt.sh](https://crt.sh/?caid=183267), [issued certs](https://crt.sh/?Identity=%25&iCAID=183267) - * Certificate details (signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=3334561879), [der](/certs/lets-encrypt-r3.der), [pem](/certs/lets-encrypt-r3.pem), [txt](/certs/lets-encrypt-r3.txt) - * Certificate details (cross-signed by IdenTrust): [crt.sh](https://crt.sh/?id=3479778542), [der](/certs/lets-encrypt-r3-cross-signed.der), [pem](/certs/lets-encrypt-r3-cross-signed.pem), [txt](/certs/lets-encrypt-r3-cross-signed.txt) - * CRL hostname: `r3.c.lencr.org` -* **Let's Encrypt R4** - * Subject: `O = Let's Encrypt, CN = R4` - * Key type: `RSA 2048` - * Valid until: 2025-09-15 (expired) - * CA details: [crt.sh](https://crt.sh/?caid=183268), [issued certs](https://crt.sh/?Identity=%25&iCAID=183268) - * Certificate details (signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=3334561877), [der](/certs/lets-encrypt-r4.der), [pem](/certs/lets-encrypt-r4.pem), [txt](/certs/lets-encrypt-r4.txt) - * Certificate details (cross-signed by IdenTrust): [crt.sh](https://crt.sh/?id=3479778543), [der](/certs/lets-encrypt-r4-cross-signed.der), [pem](/certs/lets-encrypt-r4-cross-signed.pem), [txt](/certs/lets-encrypt-r4-cross-signed.txt) - * CRL hostname: `r4.c.lencr.org` +* **Let's Encrypt E7** + * Subject: `C=US, O=Let's Encrypt, CN=E7` + * Key type: `ECDSA P-384` + * Valid until: 2027-03-12 + * CA details: [crt.sh](https://crt.sh/?caid=295813), [issued certs](https://crt.sh/?Identity=%25&iCAID=295813) + * Certificate details (signed by ISRG Root X2): [crt.sh](https://crt.sh/?id=12396132900), [der](/certs/2024/e7.der), [pem](/certs/2024/e7.pem), [txt](/certs/2024/e7.txt) + * Certificate details (cross-signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=12396132895), [der](/certs/2024/e7-cross.der), [pem](/certs/2024/e7-cross.pem), [txt](/certs/2024/e7-cross.txt) + * CRL hostname: `e7.c.lencr.org` +* **Let's Encrypt E8** + * Subject: `C=US, O=Let's Encrypt, CN=E8` + * Key type: `ECDSA P-384` + * Valid until: 2027-03-12 + * CA details: [crt.sh](https://crt.sh/?caid=295809), [issued certs](https://crt.sh/?Identity=%25&iCAID=295809) + * Certificate details (signed by ISRG Root X2): [crt.sh](https://crt.sh/?id=12396132890), [der](/certs/2024/e8.der), [pem](/certs/2024/e8.pem), [txt](/certs/2024/e8.txt) + * Certificate details (cross-signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=12396132901), [der](/certs/2024/e8-cross.der), [pem](/certs/2024/e8-cross.pem), [txt](/certs/2024/e8-cross.txt) + * CRL hostname: `e8.c.lencr.org` +* **Let's Encrypt E9** + * Subject: `C=US, O=Let's Encrypt, CN=E9` + * Key type: `ECDSA P-384` + * Valid until: 2027-03-12 + * CA details: [crt.sh](https://crt.sh/?caid=295812), [issued certs](https://crt.sh/?Identity=%25&iCAID=295812) + * Certificate details (signed by ISRG Root X2): [crt.sh](https://crt.sh/?id=12396132894), [der](/certs/2024/e9.der), [pem](/certs/2024/e9.pem), [txt](/certs/2024/e9.txt) + * Certificate details (cross-signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=12396132894), [der](/certs/2024/e9-cross.der), [pem](/certs/2024/e9-cross.pem), [txt](/certs/2024/e9-cross.txt) + * CRL hostname: `e9.c.lencr.org` * **Let's Encrypt R10** - * Subject: `O = Let's Encrypt, CN = R10` + * Subject: `C=US, O=Let's Encrypt, CN=R10` * Key type: `RSA 2048` * Valid until: 2027-03-12 * CA details: [crt.sh](https://crt.sh/?caid=295814), [issued certs](https://crt.sh/?Identity=%25&iCAID=295814) * Certificate details (signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=12396132896), [der](/certs/2024/r10.der), [pem](/certs/2024/r10.pem), [txt](/certs/2024/r10.txt) * CRL hostname: `r10.c.lencr.org` * **Let's Encrypt R11** - * Subject: `O = Let's Encrypt, CN = R11` + * Subject: `C=US, O=Let's Encrypt, CN=R11` * Key type: `RSA 2048` * Valid until: 2027-03-12 * CA details: [crt.sh](https://crt.sh/?caid=295815), [issued certs](https://crt.sh/?Identity=%25&iCAID=295815) * Certificate details (signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=12396132897), [der](/certs/2024/r11.der), [pem](/certs/2024/r11.pem), [txt](/certs/2024/r11.txt) * CRL hostname: `r11.c.lencr.org` +* **Let's Encrypt R12** + * Subject: `C=US, O=Let's Encrypt, CN=R12` + * Key type: `RSA 2048` + * Valid until: 2027-03-12 + * CA details: [crt.sh](https://crt.sh/?caid=295816), [issued certs](https://crt.sh/?Identity=%25&iCAID=295816) + * Certificate details (signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=12396132898), [der](/certs/2024/r12.der), [pem](/certs/2024/r12.pem), [txt](/certs/2024/r12.txt) + * CRL hostname: `r12.c.lencr.org` +* **Let's Encrypt R13** + * Subject: `C=US, O=Let's Encrypt, CN=R13` + * Key type: `RSA 2048` + * Valid until: 2027-03-12 + * CA details: [crt.sh](https://crt.sh/?caid=295817), [issued certs](https://crt.sh/?Identity=%25&iCAID=295817) + * Certificate details (signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=12396132902), [der](/certs/2024/r13.der), [pem](/certs/2024/r13.pem), [txt](/certs/2024/r13.txt) + * CRL hostname: `r13.c.lencr.org` +* **Let's Encrypt R14** + * Subject: `C=US, O=Let's Encrypt, CN=R14` + * Key type: `RSA 2048` + * Valid until: 2027-03-12 + * CA details: [crt.sh](https://crt.sh/?caid=295818), [issued certs](https://crt.sh/?Identity=%25&iCAID=295818) + * Certificate details (signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=12396132903), [der](/certs/2024/r14.der), [pem](/certs/2024/r14.pem), [txt](/certs/2024/r14.txt) + * CRL hostname: `r14.c.lencr.org` + +
+ +
+Expired + +These intermediate CAs cannot issue Subscriber Certificates. + * **Let's Encrypt Authority X1** - * Subject: `O = Let's Encrypt, CN = Let's Encrypt Authority X1` + * Subject: `C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X1` * Key type: `RSA 2048` * Valid until: 2020-06-04 (expired) * CA details: [crt.sh](https://crt.sh/?caid=7395), [issued certs](https://crt.sh/?Identity=%25&iCAID=7395) * Certificate details (signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=9314792), [der](/certs/letsencryptauthorityx1.der), [pem](/certs/letsencryptauthorityx1.pem), [txt](/certs/letsencryptauthorityx1.txt) * Certificate details (cross-signed by IdenTrust): [crt.sh](https://crt.sh/?id=10235198), [der](/certs/lets-encrypt-x1-cross-signed.der), [pem](/certs/lets-encrypt-x1-cross-signed.pem), [txt](/certs/lets-encrypt-x1-cross-signed.txt) * **Let's Encrypt Authority X2** - * Subject: `O = Let's Encrypt, CN = Let's Encrypt Authority X2` + * Subject: `C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X2` * Key type: `RSA 2048` * Valid until: 2020-06-04 (expired) * CA details: [crt.sh](https://crt.sh/?caid=9745), [issued certs](https://crt.sh/?Identity=%25&iCAID=9745) * Certificate details (signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=12721505), [der](/certs/letsencryptauthorityx2.der), [pem](/certs/letsencryptauthorityx2.pem), [txt](/certs/letsencryptauthorityx2.txt) * Certificate details (cross-signed by IdenTrust): [crt.sh](https://crt.sh/?id=10970235), [der](/certs/lets-encrypt-x2-cross-signed.der), [pem](/certs/lets-encrypt-x2-cross-signed.pem), [txt](/certs/lets-encrypt-x2-cross-signed.txt) * **Let's Encrypt Authority X3** - * Subject: `O = Let's Encrypt, CN = Let's Encrypt Authority X3` + * Subject: `C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3` * Key type: `RSA 2048` * Valid until: 2021-10-06 (expired) * CA details: [crt.sh](https://crt.sh/?caid=16418), [issued certs](https://crt.sh/?Identity=%25&iCAID=16418) * Certificate details (signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=47997543), [der](/certs/letsencryptauthorityx3.der), [pem](/certs/letsencryptauthorityx3.pem), [txt](/certs/letsencryptauthorityx3.txt) * Certificate details (cross-signed by IdenTrust): [crt.sh](https://crt.sh/?id=15706126), [der](/certs/lets-encrypt-x3-cross-signed.der), [pem](/certs/lets-encrypt-x3-cross-signed.pem), [txt](/certs/lets-encrypt-x3-cross-signed.txt) * **Let's Encrypt Authority X4** - * Subject: `O = Let's Encrypt, CN = Let's Encrypt Authority X4` + * Subject: `C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X4` * Key type: `RSA 2048` * Valid until: 2021-10-06 (expired) * CA details: [crt.sh](https://crt.sh/?caid=16429), [issued certs](https://crt.sh/?Identity=%25&iCAID=16429) * Certificate details (signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=47997546), [der](/certs/letsencryptauthorityx4.der), [pem](/certs/letsencryptauthorityx4.pem), [txt](/certs/letsencryptauthorityx4.txt) * Certificate details (cross-signed by IdenTrust): [crt.sh](https://crt.sh/?id=15710291), [der](/certs/lets-encrypt-x4-cross-signed.der), [pem](/certs/lets-encrypt-x4-cross-signed.pem), [txt](/certs/lets-encrypt-x4-cross-signed.txt) +* **Let's Encrypt E1** + * Subject: `C=US, O=Let's Encrypt, CN=E1` + * Key type: `ECDSA P-384` + * Valid until: 2025-09-15 (expired) + * CA details: [crt.sh](https://crt.sh/?caid=183283), [issued certs](https://crt.sh/?Identity=%25&iCAID=183283) + * Certificate details (signed by ISRG Root X2): [crt.sh](https://crt.sh/?id=3334671964), [der](/certs/lets-encrypt-e1.der), [pem](/certs/lets-encrypt-e1.pem), [txt](/certs/lets-encrypt-e1.txt) + * CRL hostname: `e1.c.lencr.org` +* **Let's Encrypt E2** + * Subject: `C=US, O=Let's Encrypt, CN=E2` + * Key type: `ECDSA P-384` + * Valid until: 2025-09-15 (expired) + * CA details: [crt.sh](https://crt.sh/?caid=183284), [issued certs](https://crt.sh/?Identity=%25&iCAID=183284) + * Certificate details (signed by ISRG Root X2): [crt.sh](https://crt.sh/?id=3334671963), [der](/certs/lets-encrypt-e2.der), [pem](/certs/lets-encrypt-e2.pem), [txt](/certs/lets-encrypt-e2.txt) + * CRL hostname: `e2.c.lencr.org` +* **Let's Encrypt R3** + * Subject: `C=US, O=Let's Encrypt, CN=R3` + * Key type: `RSA 2048` + * Valid until: 2025-09-15 (expired) + * CA details: [crt.sh](https://crt.sh/?caid=183267), [issued certs](https://crt.sh/?Identity=%25&iCAID=183267) + * Certificate details (signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=3334561879), [der](/certs/lets-encrypt-r3.der), [pem](/certs/lets-encrypt-r3.pem), [txt](/certs/lets-encrypt-r3.txt) + * Certificate details (cross-signed by IdenTrust): [crt.sh](https://crt.sh/?id=3479778542), [der](/certs/lets-encrypt-r3-cross-signed.der), [pem](/certs/lets-encrypt-r3-cross-signed.pem), [txt](/certs/lets-encrypt-r3-cross-signed.txt) + * CRL hostname: `r3.c.lencr.org` +* **Let's Encrypt R4** + * Subject: `C=US, O=Let's Encrypt, CN=R4` + * Key type: `RSA 2048` + * Valid until: 2025-09-15 (expired) + * CA details: [crt.sh](https://crt.sh/?caid=183268), [issued certs](https://crt.sh/?Identity=%25&iCAID=183268) + * Certificate details (signed by ISRG Root X1): [crt.sh](https://crt.sh/?id=3334561877), [der](/certs/lets-encrypt-r4.der), [pem](/certs/lets-encrypt-r4.pem), [txt](/certs/lets-encrypt-r4.txt) + * Certificate details (cross-signed by IdenTrust): [crt.sh](https://crt.sh/?id=3479778543), [der](/certs/lets-encrypt-r4-cross-signed.der), [pem](/certs/lets-encrypt-r4-cross-signed.pem), [txt](/certs/lets-encrypt-r4-cross-signed.txt) + * CRL hostname: `r4.c.lencr.org`
diff --git a/content/en/docs/profiles.md b/content/en/docs/profiles.md index 8188b172f..6bd7ff13f 100644 --- a/content/en/docs/profiles.md +++ b/content/en/docs/profiles.md @@ -1,7 +1,7 @@ --- title: Profiles slug: profiles -lastmod: 2026-05-15 +lastmod: 2026-05-28 show_lastmod: false --- @@ -26,7 +26,6 @@ The classic profile is the default profile selected for all orders which do not | [Order Lifetime](#order-lifetime) | 7 days | | [Certificate Common Name](#certificate-common-name) | Yes* | | [Key Encipherment KU](#key-encipherment-key-usage) | Yes | -| [TLS Client Auth EKU](#tls-client-authentication-extended-key-usage) | No | | [Subject Key ID](#subject-key-identifier-extension) | Yes | | [Validity Period](#validity-period) | 90 days | | [Revocation Information](#revocation-information) | CRL | @@ -46,7 +45,7 @@ The tlsserver profile is a new profile which updates several of these validation The pending authorization lifetime has been reduced to further encourage automation: fully automated systems can complete a validation challenge within seconds, so a lifetime of just one hour is more than enough. The authorization reuse period has been reduced to seven hours. This is because the Baseline Requirements require that we re-check Certificate Authority Authorization (CAA) after eight hours, so limiting the reuse period means that we don't have to perform rechecks. The order lifetime has been reduced to the sum of two authorization lifetimes, because there is little purpose to having an order that outlives the authorizations it depends on. -The issued certificate no longer contains any of the fields discussed above. The Common Name has been omitted, as it is redundant with the Subject Alternative Names and is marked as NOT RECOMMENDED by the Baseline Requirements. The Key Encipherment key usage is omitted because it is only relevant when using non-forward-secret TLS cipher suites, which have been removed by all major browsers due to the importance of forward-secrecy. The TLS Client Auth extended key usage is omitted to comply with upcoming root program requirements that require "single-purpose" (i.e. single EKU) certificates. And the Subject Key ID extension is omitted because it serves no purpose in end-entity certificates and is NOT RECOMMENDED by the Baseline Requirements. +The issued certificate omits the Common Name, as it is redundant with the Subject Alternative Names and is marked as NOT RECOMMENDED by the Baseline Requirements. The Key Encipherment key usage is omitted because it is only relevant when using non-forward-secret TLS cipher suites, which have been removed by all major browsers due to the importance of forward-secrecy. The Subject Key ID extension is omitted because it serves no purpose in end-entity certificates and is NOT RECOMMENDED by the Baseline Requirements. And finally the resulting certificate is valid for only 45 days, in preparation for upcoming restrictions that will limit all certificates to at most 47 days. | Property | Value | |----------------------------------------------------------------------|---------| @@ -55,7 +54,6 @@ The issued certificate no longer contains any of the fields discussed above. The | [Order Lifetime](#order-lifetime) | 8 hours | | [Certificate Common Name](#certificate-common-name) | No | | [Key Encipherment KU](#key-encipherment-key-usage) | No | -| [TLS Client Auth EKU](#tls-client-authentication-extended-key-usage) | No | | [Subject Key ID](#subject-key-identifier-extension) | No | | [Validity Period](#validity-period) | 45 days | | [Revocation Information](#revocation-information) | CRL | @@ -78,7 +76,6 @@ We recommend this profile for those who fully trust their automation to renew th | [Order Lifetime](#order-lifetime) | 8 hours | | [Certificate Common Name](#certificate-common-name) | No | | [Key Encipherment KU](#key-encipherment-key-usage) | No | -| [TLS Client Auth EKU](#tls-client-authentication-extended-key-usage) | No | | [Subject Key ID](#subject-key-identifier-extension) | No | | [Validity Period](#validity-period) | 160 hours | | [Revocation Information](#revocation-information) | CRL | @@ -88,39 +85,6 @@ We recommend this profile for those who fully trust their automation to renew th
-## tlsclient - -Certificates issued with the tlsclient profile contain the TLS Client Auth EKU. -It is otherwise identical to the classic profile. - -However, as [announced on our blog](/2025/05/14/ending-tls-client-authentication), this profile will soon cease to exist. It is no longer generally available. Subscribers who are already using it prior to May 13, 2026 may continue to use it until July 8, 2026. - -This profile exists for the sole purpose of allowing Subscribers who need access -to TLS Client Auth certificates to retain that EKU for slightly longer, to -ease their transition into a TLS Server Auth-only world. If you do not -specifically need the TLS Client Auth EKU, then you can and should safely ignore -this profile. - - -| Property | Value | -|----------------------------------------------------------------------|-------------------------------------------| -| [Pending Authorization Lifetime](#pending-authorization-lifetime) | 7 days | -| [Authorization Reuse Period](#authorization-reuse-period) | 30 days | -| [Order Lifetime](#order-lifetime) | 7 days | -| [Certificate Common Name](#certificate-common-name) | Yes* | -| [Key Encipherment KU](#key-encipherment-key-usage) | Yes | -| [TLS Client Auth EKU](#tls-client-authentication-extended-key-usage) | Yes | -| [Subject Key ID](#subject-key-identifier-extension) | Yes | -| [Validity Period](#validity-period) | 90 days | -| [Revocation Information](#revocation-information) | CRL | -| [Max Names](#max-names) | 100 | -| [Identifier Types](#identifier-types) | DNS | - -\*: If the CSR submitted at finalize time requests a specific Common Name that corresponds to a dNSName Subject Alternative Name, that request is honored. If the CSR does not request a specific Common Name, the first dNSName Subject Alternative Name requested will be promoted into the Subject Common Name. If either the requested name or the to-be-promoted name is too long to fit in the Common Name field (64+ characters), the Common Name will be left empty. - -: Only included for certificates with RSA public keys. -
- # Selecting a Profile The process for selecting a profile is described in [this Internet-Draft](https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/), which we plan to work with the IETF ACME Working Group to turn into a full RFC. Not all ACME Clients have implemented this draft, so the client you use may not yet be able to select a profile. @@ -161,10 +125,6 @@ TLS Certificates can contain names (e.g. domain names or IP addresses) in two pl TLS Certificates have a ["Key Usage" extension](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3), which determines what sorts of cryptographic operations the key contained in the certificate is allowed to perform. All Let's Encrypt certificates contain the Digital Signature KU, which is necessary to perform TLS handshakes. The Key Encipherment KU was historically required by old versions of TLS to perform certain kinds of handshakes with RSA keys. However, those operations are now known to be insecure, and have been deprecated and removed from browsers for several years now. Including the Key Encipherment key usage is now [NOT RECOMMENDED by the Baseline Requirements](https://github.com/cabforum/servercert/blob/main/docs/BR.md#712711-subscriber-certificate-key-usage). -### TLS Client Authentication Extended Key Usage - -In addition to the above, TLS Certificates also have an ["Extended Key Usage" extension](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12), which provides an extra layer of granularity to the Key Usage extension described above. The two most common extended key usages are TLS Server Auth (which allows the certificate to be presented by a server during a TLS handshake) and TLS Client Auth (which allows the certificate to be presented by a _client_ during a TLS handshake). Support for [TLS Client Authentication is being phased out](/2025/05/14/ending-tls-client-authentication/) in 2026. - ### Subject Key Identifier Extension TLS Certificates can have a ["Subject Key Identifier" extension](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2), which provides a short string that uniquely identifies the public key present in the certificate. This extension is very important for CA certificates, because it allows browsers to quickly find the CA certificate which issued the end-entity certificate being presented by a website. However, the extension serves no purpose in end-entity certificates, and including it is now NOT RECOMMENDED by the Baseline Requirements. diff --git a/static/images/isrg-hierarchy-full.png b/static/images/isrg-hierarchy-full.png index 20e0b9238..87c80094c 100644 Binary files a/static/images/isrg-hierarchy-full.png and b/static/images/isrg-hierarchy-full.png differ diff --git a/static/images/isrg-hierarchy.png b/static/images/isrg-hierarchy.png index e9394781f..b433403bb 100644 Binary files a/static/images/isrg-hierarchy.png and b/static/images/isrg-hierarchy.png differ