Upcoming Let's Encrypt intermediate issuer certificate change...

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Apr 17 10:08:21 CEST 2019

If you're relying on DANE TLSA "2 0 1" or "2 0 2" records that
the match the current Let's Encrypt Intermediate certificate,
you need to make appropriate plans for the switchover to a
new intermediate CA cert on 2010-07-08:


this will result in a change in the content (and digest) of the
intermediate issuer cert.  But the underlying public key is *not*
changing.  Therefore, the sensible solution is before then to switch
to "2 1 1" records that will continue to work across the cutover.

The "2 1 1" record will of course have a different digest from the
"2 0 1" record (and likewise for "2 1 2" vs. "2 0 2").

The stable key digests are:

   2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18
   2 1 2 774fad8c9a6afc2bdb44faba8390d213ae592fb0d56c5dfab152284e334d7cd6abd05799236e7aa6266edf81907c60404c57ee54c10a3a82fcc2a9146629b140

See also: 



More information about the dane-users mailing list