Home 零对冲(ZeroHedge)每日HackerNews

Let's Encrypt 证书即将变更
Upcoming Changes to Let's Encrypt Certificates

原始链接: https://community.letsencrypt.org/t/upcoming-changes-to-let-s-encrypt-certificates/243873

Let’s Encrypt 正在推出多项证书系统更新,主要关注安全性和符合行业标准。这些更新包括一个新的“Generation Y”证书层级结构(预计于2026年5月全面推出),该结构基于新的根证书和中间证书,与现有的信任根兼容。 主要变化包括弃用 TLS 客户端身份验证(将于2026年2月开始)以及缩短证书有效期。Let’s Encrypt 将于明年通过 `tlsserver` 配置提供 45 天有效期的证书,默认有效期将于 2027 年缩短至 64 天,2028 年缩短至 45 天。 这些变化对用户影响不大,但 Let’s Encrypt 利用“ACME 配置”来控制过渡过程。`tlsclient` 配置提供更长的过渡期。短寿命证书,包括对 IP 地址的支持,现在通常通过 `tlsserver` 和 `shortlived` 配置提供。 有关每个更新的更多详细信息,请参阅 Let’s Encrypt 的博客文章。

相关文章
原文

Let’s Encrypt is introducing several updates to the certificates we issue, including new root certificates, the deprecation of TLS client authentication, and shortening certificate lifetimes. To help roll out changes gradually, we’re making use of ACME profiles to allow users to have control over when some of these changes take place. For most users, no action is required.

Let’s Encrypt has generated two new Root Certification Authorities (CAs) and six new Intermediate CAs, which we’re collectively calling the “Generation Y” hierarchy. These are cross-signed from our existing “Generation X” roots, X1 and X2, so will continue to work anywhere our current roots are trusted.

Most users get certificates from our default classic profile, unless they’ve opted into another profile. This profile will switch to the new Generation Y hierarchy on May 13 2026. These new intermediates do not contain the “TLS Client Authentication” Extended Key Usage due to an upcoming root program requirement. We have previously announced our plans to end TLS Client Authentication starting in February 2026, which will coincide with the switch to the Generation Y hierarchy. Users who encounter issues or need an extended period to switch can use our tlsclient profile until May 2026, which will also remain on our existing Generation X roots.

If you’re requesting certificates from our tlsserver or shortlived profiles, you’ll begin to see certificates which come from the Generation Y hierarchy this week. This switch will also mark the opt-in general availability of short-lived certificates from Let’s Encrypt, including support for IP Addresses on certificates.

We also announced our timeline to comply with upcoming changes to the CA/Browser Forum Baseline Requirements, which will require us to shorten the length of time our certificates are valid for. Next year, you’ll be able to opt-in to 45 day certificates for early adopters and testing via the tlsserver profile. In 2027, we’ll lower the default certificate lifetime to 64 days, and then to 45 in 2028. For the full timeline and details, please see our post on decreasing certificate lifetimes to 45 days.

For most users, no action is required, but we recommend reviewing the linked blog posts announcing each of these changes for more details. If you have any questions, please do not hesitate to ask here, on this forum.

联系我们 contact @ memedata.com