
Let's Encrypt's New Root and Intermediate Certificates - throw0101a
https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html
======
throw0101a
TL; DR:

> _For starters, we’ve issued two new 2048-bit RSA intermediates which we’re
> calling R3 and R4. These are both issued by ISRG Root X1, and have 5-year
> lifetimes. They will also be cross-signed by IdenTrust. They’re basically
> direct replacements for our current X3 and X4, which are expiring in a year.
> We expect to switch our primary issuance pipeline to use R3 later this year,
> which won’t have any real effect on issuance or renewal._

> _The other new certificates are more interesting. First up, we have the new
> ISRG Root X2, which has an ECDSA P-384 key instead of RSA, and is valid
> until 2040. Issued from that, we have two new intermediates, E1 and E2,
> which are both also ECDSA and are valid for 5 years._

> _Notably, these ECDSA intermediates are not cross-signed by IdenTrust’s DST
> Root CA X3. Instead, the ISRG Root X2 itself is cross-signed by our existing
> ISRG Root X1. An astute observer might also notice that we have not issued
> an OCSP Signing Certificate from ISRG Root X2._

So:

* new intermediates R3/4, co-signed by current-X1 and IdentTrust; go-live soon

* new EC X2 root, signed only by current-X1

* new EC intermediates E1/2, signed only by new-X2

