Five Years of Lets Encrypt

This certificate used 4096 bit RSA key and had an expiry in 2025, and although it's still got life left, it will become necessary to replace it with a stronger key in the future.As a result, in September this year, Let's Encrypt created a new root certificate ISRG Root X2, using ECDSA. The ISRG Root X2 certificate is cross-signed with ISRG Root X1 to allow for certificate validation in the interim.The problem is that the DST X3 certificate, which is currently used by Let's Encrypt to issue certificates, is due to expire in September 2021. From January 11 next year, the API that serves certificates will move to using certificates issued through the ISRC Root X1 certificate, but not by the DST X3 certificate.The ACMEv2 protocol provides an 'alternate' link, which can be used to rollback to the current behaviour, but the key problem is dealing with older operating systems that either don't have the correct root certificate, or don't have support for either the SHA-1 or ECDSA protocols that are used in the process of verifying a certificate. By moving towards their own root, and moving to a more compact key representation, it will be possible to optimise the setup connection of encrypted data streams as well as moving towards a stronger encryption model.The changeover on 2021-01-11 to the API will potentially impact older Android clients, and the expiration date of the DST X3 certificate in 2021-09-30 next year is something to watch out for.