In response to the upcoming expiration of Let's Encrypt's cross-signed certificate chain with IdenTrust on September 30, 2024, Cloudflare recently discussed a change in its certificate issuance strategy. For those managing client connections to their applications, Cloudflare has recommended updating the trust store to include the ISRG Root X1 certificate.
Dina Kozlov, product manager at Cloudflare, detailed the background behind this decision. The upcoming certificate chain change from Let’s Encrypt may cause compatibility issues for older devices and systems, notably Android devices running version 7.1.1 or earlier. Kozlov outlined a strategy to minimize disruptions ensuring a smooth transition for most users.
In their July 2023 announcement, Let's Encrypt talked about their initial strategy of cross-signing certificates with IdenTrust's DST Root CA X3. As Let’s Encrypt’s own ISRG Root X1 gained acceptance, the need for cross-signing was reduced. However, in 2021, a new cross-sign was implemented to maintain compatibility with older Android devices. This stopgap measure, set to expire on September 30, 2024, has allowed these devices continued access to websites using Let's Encrypt certificates.
The impacted users due to this change, who are using Cloudflare's Advanced Certificate Manager or SSL for SaaS, can choose to use Google Trust Services as well. For more information on how to do this, readers can check out Cloudflare's developer documentation.
Kozlov cited Let's Encrypt data indicating that over 93.9% of Android devices already trust the ISRG Root X1, a number expected to grow throughout 2024. In a follow-up blog post, Kozlov noted that while Let's Encrypt intends to cease issuing certificates from the cross-signed chain on June 6th, 2024, Cloudflare will continue to support this chain for all Let's Encrypt certificates until September 9th, 2024.
Cloudflare will begin transitioning Let's Encrypt certificates to a different certificate authority 90 days or one certificate lifecycle before the change. This automatic shift will apply to Universal SSL and SSL for SaaS customers who have chosen the "default CA" option.
Customers who have specifically selected Let's Encrypt as their CA will be notified via email, receiving a list of their Let's Encrypt certificates and information on potential impacts for legacy devices. After September 9th, 2024, all Let's Encrypt certificates served by Cloudflare will utilize the ISRG Root X1 chain.
The tech community on Hacker News actively discussed both the original announcement from Let's Encrypt and the subsequent Cloudflare blogs. A Hacker News user, jrochkind1, praised Let's Encrypt for giving the community ample notice of the change, stating that the 14-month advance announcement "is treating the community right."
In another Hacker News conversation following Cloudflare’s blog post, HN user skybrian observed that expiration dates could cause sudden widespread issues, unlike gradual rollouts. Acknowledging Let's Encrypt's efforts to minimize this impact, the user also wondered if Let's Encrypt might be reintroduced later for new websites launched after the expiration date.
Kozlov acknowledged that while this change will affect a small percentage of clients, Cloudflare supports Let's Encrypt's decision as it contributes to a more secure and agile internet.