Let’s Encrypt has announced the issuance of ten new intermediate certificates, five for RSA-2048 key pairs and another five for ECDSA, with the goal of shortening the certificate chain. Additionally, a system has been implemented to randomize the issuance of intermediate certificates, prompting various applications to cease key pinning practices.
Key pinning, or HTTP Public Key Pinning (HPKP), is a technique that allows applications such as browsers to trust only the specified certificates or those endorsed by pre-defined certificates. This ensures that certificates from unauthorized issuers are not accepted, even if they are valid. This concept was pioneered after the 2011 incident involving DigiNotar certificates which were found to be compromised by Google due to Chrome blocking their certificates. Nowadays, with Certification Transparency (CT) in place, monitoring for misissued certificates has become more straightforward. Users can easily view which certificates are associated with a particular domain, reducing the risk of errors when domain owners attempt to switch certificate authorities but are blocked by applications.
Google discontinued key pinning in 2018, yet some companies still utilize this practice. Let’s Encrypt’s new approach involves using two intermediate certificates for each chain, alternating between them to prevent predictability. Additionally, the lifespan of intermediate certificates will be reduced from five years to just one year, as Let’s Encrypt gears up to release certificates for the upcoming year.
The new intermediate certificates are expected to come into effect in the coming months, although an exact date has not been specified.
TLDR: Let’s Encrypt introduces ten new intermediate certificates to enhance security and prevent key pinning, aligning with industry best practices for certificate issuance.
Leave a Comment