The keys and certificates that will underlie Let’s Encrypt have been generated. This was done during a key ceremony at a secure facility today. The following objects were created:
- Key pair and self-signed cert for the ISRG root
- Key pair and certificate for the ISRG root’s OCSP
- Key pairs and certificates for two Let’s Encrypt intermediate CAs
- CRL under the ISRG root showing that the Let’s Encrypt intermediates have not been revoked.
The certificates over the public keys, of course, can be made public:
- ISRG Root X1 Certificate
- Let’s Encrypt Intermediate X1 CA Certificate
- Let’s Encrypt Intermediate X2 CA Certificate
Let’s Encrypt will issue certificates to subscribers from its intermediate CAs, allowing us to keep our root CA safely offline. IdenTrust will cross-sign our intermediates. This will allow our end certificates to be accepted by all major browsers while we propagate our own root.
Read more at the Let’s Encrypt Blog.
