Understanding the Cloudflare Let's Encrypt Certificate Chain Change
FMG utilizes Let's Encrypt SSL certificates to establish secure connections for our websites, and these certificates are leveraged by Cloudflare, our content delivery network. Let's Encrypt has two types of certificate chains—one cross-signed with IdenTrust and another known as ISRG Root X1.
Beginning May 15, 2024, Cloudflare will cease issuing certificates from the cross-signed chain and will instead use Let’s Encrypt’s ISRG Root X1 chain for all future Let’s Encrypt certificates. The cross-signed chain with IdenTrust will expire on September 30, 2024.
What Does This Mean for Your Website?
As a website owner, there's no action required on your part. Your website's security certificates will be automatically updated to the new ISRG Root X1 chain before the IdenTrust cross-signed chain expires on September 30, 2024.
However, this change may affect website visitors who use older browsers, operating systems, and devices, such as Android devices version 7.1.1 or older. These browsers and operating systems rely on the IdenTrust cross-signed chain and may encounter TLS errors or warnings when accessing domains secured by a Let’s Encrypt certificate after the switch to the ISRG Root X1 chain.
It's important to note that despite any warnings, the connections to your website will remain secure. These warnings mainly indicate that the visitor's browser, operating system, or device is outdated and potentially insecure. We recommend keeping browsers and operating systems up to date to ensure optimal security.
Frequently Asked Questions (FAQs)
Why is this change happening?
This change is happening because the cross-signed chain is set to expire. Cloudflare is proactively switching to the ISRG Root X1 chain to ensure the continued security of your certificates. While this change is not unique to FMG websites and affects the majority of SSL certificates on the web, we believe it's important to keep you informed.
It's crucial to note the importance of keeping your browser updated. As technology advances and cybercriminals employ more sophisticated methods, older encryption protocols can become vulnerable. Certificate Authorities (CAs) set expiration dates on certificate chains to prompt the regular update of security protocols, thereby maintaining the integrity and security of online communications. Keeping your browser updated ensures that it recognizes and trusts the latest certificates, providing a secure and seamless browsing experience.
I have an FMG website/landing page. What action do I need to take due to this change?
There is no action required on your part. Your SSL certificates will automatically switch to the ISRG Root X1 chain before September 30, 2024. However, visitors using older browsers and operating systems might see certificate warnings when they visit your website.
What does this change mean for my website visitors?
Most visitors won't notice a change. However, visitors using older browsers and operating systems may see warnings or errors when accessing your website after the switch to the ISRG Root X1 chain. These warnings indicate outdated software that may lack security updates. To ensure optimal security, updating browsers and operating systems is highly recommended.
Will this change impact the security of my website or my browsing experience?
The change will not impact your website's security or your browsing experience. Despite any potential warning messages, connections will remain secure and encrypted.
What is SSL?
SSL (Secure Sockets Layer) is a security protocol that provides a secure channel between two machines operating over the internet or an internal network. In essence, SSL allows for the secure transmission of sensitive information, such as credit card numbers or login credentials, ensuring that the data transmitted is secure and remains confidential.
What is Let's Encrypt?
Let's Encrypt is an open certificate authority (CA) that provides SSL certificates for website encryption.
What is Cloudflare?
Cloudflare is a web infrastructure and website security company that provides content delivery network services, DDoS mitigation, Internet security, and distributed domain name server services.
What is a Certificate Authority (CA)?
A Certificate Authority (CA) is a trusted entity that issues digital certificates, which are data files used to cryptographically link an entity with a public key. Certificate authorities are critical to the internet's public key infrastructure (PKI) because they issue the SSL certificates that web browsers use to authenticate content sent from web servers.
What is the ISRG Root X1 chain?
ISRG Root X1 is Let's Encrypt's own root Certificate Authority. It's the chain that will be used for all future Let's Encrypt certificates from May 15, 2024, onwards.
What is the IdenTrust cross-signed chain?
The IdenTrust cross-signed chain is one of the chains currently used by Let's Encrypt to issue certificates. It's cross-signed with IdenTrust, a globally trusted Certificate Authority. This chain will no longer be issued after May 15, 2024, and expire on September 30, 2024.
What does it mean when a certificate chain expires?
When a certificate chain expires, the certificates issued under that chain are no longer valid. After the expiration date, browsers and operating systems will no longer trust certificates from the expired chain, which can lead to warnings or errors when accessing a secure website.