"Let's Encrypt is introducing significant changes to its certificates. The certificate authority is taking steps towards shorter certificate lifespans, new root certificates, and the end of TLS client authentication. The changes are in line with new CA/Browser Forum requirements. Let's Encrypt is generating two new Root Certification Authorities (CAs) and six new Intermediate CAs, collectively referred to as the Generation Y hierarchy. These are cross-signed from the existing Generation X roots X1 and X2."
"Most users will receive certificates from the 'classic' profile by default, unless they consciously choose a different profile. This profile will switch to the Generation Y hierarchy on May 13, 2026. These new intermediates no longer contain the Extended Key Usage for TLS Client Authentication due to upcoming root program requirements. These are requirements set by browser vendors and operating system builders such as Google, Microsoft, Apple, and Mozilla."
Let's Encrypt will adopt shorter certificate lifespans, introduce new root certificates, and end TLS client authentication to meet new CA/Browser Forum and root program requirements. Two new Root CAs and six new Intermediate CAs form the Generation Y hierarchy; they are cross-signed by the existing Generation X roots X1 and X2 to preserve trust where those roots are recognized. The default 'classic' profile will migrate to Generation Y on May 13, 2026. New intermediates omit Extended Key Usage for TLS Client Authentication, making issued certificates server-only. The tlsclient profile remains available on Generation X until May 2026 for transition.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]