Let’s Encrypt is planning to issue a new root and new intermediates soon.
The new root will be an ECDSA one, to augment our existing RSA root. The
new intermediates will be part of our regular replacement of intermediates.
Our RSA root will cross-sign the ECDSA root.

We’re sharing our detailed issuance plans, including certificate profiles
and the tools we will use to generate the certificates. This is in the
spirit of transparency and also to get feedback from the community about
our plans.

Originally posted at
https://community.letsencrypt.org/t/detailed-2020-hierarchy/131019:

I’ve put together a detailed demonstration at
https://github.com/letsencrypt/2020-hierarchy-demo. I’ve attached sample
output from a run here, along with OpenSSL textual output. If you see any
flaws, please let us know!


Notable things:

   -

   We’re continuing to use X1 / X2 to identify roots.
   -

   We’re using O=Let’s Encrypt, CN=E1, E2, R3, and R4 to identify
   intermediates, where E/R indicates the key type, and we chose
   non-overlapping numbers across key types to make the names even easier to
   visually distinguish.
   -

   We’re using P-384 for our ECDSA hierarchy. We will continue to issue
   both P-256 and P-384 end-entity (leaf) certificates.
   -

   Per Ballot SC31 <https://github.com/cabforum/documents/pull/195>, we are
   not including OCSP URLs in our intermediates. This makes them smaller (for
   faster handshakes) and also simplifies our operations. The ballot has
   passed. We plan to perform the ceremony after the ballot’s review period
   has also passed and it takes effect.
   -

   We’re adopting a new domain for URLs in certificates: lencr.org. This
   saves some bytes.
   -

   For intermediates, we are just including CPS OIDs, not CPS URLs. Our
   end-entity certificates contain our CPS URL, so including it in the
   intermediates uses bytes unnecessarily.


The below is sample output from our demonstration:

root-x2.cert.pem.txt:

```text

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            0d:e3:b6:d6:c3:12:af:10:9c:8b:74:de:8b:3a:97:a0

        Signature Algorithm: ecdsa-with-SHA384

        Issuer: C = US, O = Let's Encrypt, CN = (FAKE) Let's Encrypt Root X2

        Validity

            Not Before: Sep  4 00:00:00 2020 GMT

            Not After : Sep 17 16:00:00 2040 GMT

        Subject: C = US, O = Let's Encrypt, CN = (FAKE) Let's Encrypt Root
X2

        Subject Public Key Info:

            Public Key Algorithm: id-ecPublicKey

                Public-Key: (384 bit)

                pub:

                    04:aa:a9:a7:6e:c0:cd:01:16:af:60:ba:35:ea:d9:

                    02:8e:fb:ec:b8:c9:9f:a6:5c:50:f4:fc:25:99:af:

                    76:4c:22:50:8d:62:86:1d:51:58:b9:2d:39:dc:1a:

                    ca:76:1d:44:83:6c:93:94:01:b1:e3:9c:27:d6:e8:

                    61:ac:ab:bc:7f:4e:7f:d9:8a:43:d5:57:dd:72:87:

                    70:1c:25:c7:41:78:ad:ce:58:86:79:61:ff:ee:a3:

                    2b:9c:c3:5f:9d:b7:36

                ASN1 OID: secp384r1

                NIST CURVE: P-384

        X509v3 extensions:

            X509v3 Key Usage: critical

                Certificate Sign, CRL Sign

            X509v3 Basic Constraints: critical

                CA:TRUE

            X509v3 Subject Key Identifier:

                5B:BC:E1:46:F2:7B:A4:61:96:FA:28:A8:23:10:F5:BD:C2:CA:8F:E0

    Signature Algorithm: ecdsa-with-SHA384

         30:65:02:31:00:d2:6c:91:04:a7:d6:21:73:d0:52:f1:68:eb:

         4b:34:98:9a:43:57:9d:fe:d2:61:fc:c0:c1:ec:5f:58:f6:c9:

         b9:ea:84:3e:1f:3a:20:e4:85:dd:72:36:00:53:1e:30:88:02:

         30:02:25:a3:c4:ac:6e:97:70:6f:b3:cd:4f:59:95:55:b9:e7:

         52:f1:4d:a6:a0:a3:07:77:40:d4:dc:05:7b:26:9e:b9:be:05:

         b9:0f:c0:5f:9e:cc:3a:1c:de:e7:8b:2b:93

```

x2-signed-by-x1.txt

```text

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            07:d7:a2:bb:0c:dc:93:25:d0:be:e2:26:39:de:7b:d0

        Signature Algorithm: sha256WithRSAEncryption

        Issuer: C = US, O = Internet Security Research Group, CN = (FAKE)
ISRG Root X1

        Validity

            Not Before: Sep  4 00:00:00 2020 GMT

            Not After : Sep 15 16:00:00 2025 GMT

        Subject: C = US, O = Let's Encrypt, CN = (FAKE) Let's Encrypt Root
X2

        Subject Public Key Info:

            Public Key Algorithm: id-ecPublicKey

                Public-Key: (384 bit)

                pub:

                    04:77:df:ec:6c:fe:22:06:aa:2e:8f:54:ce:1d:30:

                    60:01:85:ca:92:d6:d6:3d:21:0f:e5:18:1b:d5:35:

                    a4:72:ad:2d:07:56:cc:fe:0c:f5:39:2b:da:1a:83:

                    bf:a2:1a:9d:96:a2:74:2d:01:84:32:30:35:e0:a1:

                    e4:8a:fe:7f:16:58:83:13:e2:49:f2:01:84:60:98:

                    ef:07:4f:3c:f6:0c:86:21:22:33:aa:4e:6d:45:01:

                    da:8b:98:fb:c8:db:a5

                ASN1 OID: secp384r1

                NIST CURVE: P-384

        X509v3 extensions:

            X509v3 Key Usage: critical

                Certificate Sign, CRL Sign

            X509v3 Basic Constraints: critical

                CA:TRUE

            X509v3 Subject Key Identifier:

                55:49:E8:C3:B7:0B:25:64:96:86:E3:F8:0D:E3:F3:4B:34:9E:23:84

            X509v3 Authority Key Identifier:


keyid:B3:89:A4:0B:1C:64:C4:E7:E7:00:5B:CA:02:D5:8C:16:D7:77:D0:F9

            Authority Information Access:

                CA Issuers - URI:http://x1.i.lencr.org/

            X509v3 CRL Distribution Points:

                Full Name:

                  URI:http://x1.c.lencr.org/

            X509v3 Certificate Policies:

                Policy: 2.23.140.1.2.1

                Policy: 1.3.6.1.4.1.44947.1.1.1

    Signature Algorithm: sha256WithRSAEncryption

         76:d6:43:74:4d:4f:8c:67:dc:12:d3:e4:0e:06:97:a9:66:42:

         a7:e9:d2:33:b5:1f:75:c1:4a:12:1d:8a:8d:ef:cd:2f:12:59:

         1b:b1:c1:1b:ee:60:11:2f:ea:41:16:35:cc:12:ac:2e:7a:d2:

         78:dd:dd:66:40:c9:18:cb:b4:a3:79:8e:98:91:7b:46:8d:c7:

         e7:d1:d5:1c:e8:72:d2:3b:b2:05:b4:52:97:d7:72:9b:fc:bd:

         b5:1c:f1:3c:b0:f8:70:16:21:2d:10:73:a0:14:0a:92:77:39:

         3f:85:11:26:29:1a:06:b3:2f:79:36:28:54:6a:de:f7:65:a2:

         07:1a:5c:64:c6:1a:23:97:9e:2c:58:7e:bc:45:22:3b:d2:e4:

         23:f6:92:a5:5e:a8:11:f1:1a:ed:2f:3a:bf:81:a0:de:c4:5c:

         00:83:31:54:95:65:cb:07:95:53:95:62:af:48:b4:e1:09:aa:

         a3:73:86:a6:a0:14:c5:fd:0a:d0:05:16:22:e4:93:ec:75:3b:

         d5:c1:78:68:7a:12:b8:00:29:5b:c4:6f:73:aa:05:d7:0f:ab:

         a2:a0:25:1d:7c:e3:77:9b:24:01:a7:58:c2:b7:e7:6d:fd:9c:

         db:b9:e1:19:c4:34:b2:f0:30:a8:c7:fa:97:14:fd:57:c9:e0:

         5e:b0:aa:b4:ab:7f:bd:03:b2:4f:12:05:45:10:4d:78:74:13:

         89:e8:5a:e3:45:03:74:96:13:ff:9b:81:f3:21:45:0b:d6:ec:

         e6:8f:dc:96:f0:88:1b:67:32:11:f4:45:2c:e2:e4:2d:ff:6c:

         79:bc:fa:e0:39:e0:44:d5:02:86:3b:d5:0b:4f:a3:35:29:9a:

         ab:66:ff:8b:1b:37:1f:de:be:89:7e:25:67:64:8c:4c:1d:0f:

         d6:8d:de:2a:a2:f5:3f:eb:5f:c9:89:db:6d:5a:3a:90:83:fb:

         6d:31:40:a1:82:f8:3b:b0:5a:75:8d:32:fb:26:59:90:73:a0:

         fa:8a:e7:50:c1:87:8c:50:01:ba:20:f4:b9:fa:2d:66:8b:fc:

         b9:b4:d3:bc:e9:64:24:fa:4b:9f:cc:3d:ab:d7:b2:d3:a7:5e:

         c8:de:13:ac:5c:2d:68:ec:4b:9f:8c:0b:24:ee:39:6f:34:45:

         80:7f:9a:16:be:b8:10:e7:42:fb:1e:81:33:3e:6f:98:68:6d:

         83:93:09:92:1e:73:50:77:92:04:5b:76:56:9a:ac:20:aa:39:

         87:18:76:f9:6a:b5:61:dc:5e:eb:2c:8c:c1:b9:0a:7f:27:77:

         d9:ad:e6:99:d6:ff:06:2f:47:e3:cf:00:9e:33:1d:ff:61:51:

         db:66:a4:9c:fe:54:39:e5

```

root-x2.crl.pem.txt

```text

Certificate Revocation List (CRL):

        Version 2 (0x1)

        Signature Algorithm: ecdsa-with-SHA384

        Issuer: C = US, O = Let's Encrypt, CN = (FAKE) Let's Encrypt Root X2

        Last Update: Sep  4 00:00:00 2020 GMT

        Next Update: Aug  4 00:00:00 2021 GMT

        CRL extensions:

            X509v3 Authority Key Identifier:


keyid:5B:BC:E1:46:F2:7B:A4:61:96:FA:28:A8:23:10:F5:BD:C2:CA:8F:E0

            X509v3 CRL Number:

                100

No Revoked Certificates.

    Signature Algorithm: ecdsa-with-SHA384

         30:65:02:31:00:f2:ff:1c:52:20:ef:9d:1c:6d:74:95:10:47:

         44:66:05:e1:10:5f:1e:72:a2:10:4a:19:25:fd:94:be:1b:17:

         c8:f6:a5:30:07:88:db:8b:92:dd:be:08:f1:f5:34:67:73:02:

         30:74:e1:4e:86:9e:ef:1f:7b:14:91:01:fe:d7:7b:0b:11:b7:

         4b:cb:d1:f4:ad:12:37:e6:c5:8f:00:fa:8f:35:15:e0:ac:93:

         77:45:80:e5:c9:46:17:81:4a:71:d0:a6:0b

```

int-e1.cert.pem.txt

```text

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            9b:51:80:12:58:e4:c1:87:4a:42:99:4f:30:69:3f:dd

        Signature Algorithm: ecdsa-with-SHA384

        Issuer: C = US, O = Let's Encrypt, CN = (FAKE) Let's Encrypt Root X2

        Validity

            Not Before: Sep  4 00:00:00 2020 GMT

            Not After : Sep 15 16:00:00 2025 GMT

        Subject: C = US, O = Let's Encrypt, CN = (FAKE) E1

        Subject Public Key Info:

            Public Key Algorithm: id-ecPublicKey

                Public-Key: (384 bit)

                pub:

                    04:42:03:f9:9f:d0:6c:9f:a4:80:5a:29:f4:e1:63:

                    6c:87:d0:ec:cf:f4:ef:a9:ed:51:75:e4:c7:d7:fa:

                    aa:89:b6:40:ef:f4:8e:85:af:02:b3:2d:57:e9:eb:

                    55:9c:03:bd:6e:9c:1d:0d:72:01:10:54:c0:5f:a9:

                    34:fe:6e:fe:15:e4:7c:67:c5:94:6b:52:42:10:67:

                    21:52:0c:b7:a5:63:df:1f:e1:87:5f:d7:fd:30:be:

                    d6:11:df:65:03:22:4e

                ASN1 OID: secp384r1

                NIST CURVE: P-384

        X509v3 extensions:

            X509v3 Key Usage: critical

                Certificate Sign, CRL Sign

            X509v3 Extended Key Usage:

                TLS Web Client Authentication, TLS Web Server Authentication

            X509v3 Basic Constraints: critical

                CA:TRUE, pathlen:0

            X509v3 Subject Key Identifier:

                41:C5:56:06:07:79:77:7B:4B:12:0C:52:00:79:FD:73:E2:F9:7E:E7

            X509v3 Authority Key Identifier:


keyid:5B:BC:E1:46:F2:7B:A4:61:96:FA:28:A8:23:10:F5:BD:C2:CA:8F:E0

            Authority Information Access:

                CA Issuers - URI:http://x2.i.lencr.org/

            X509v3 CRL Distribution Points:

                Full Name:

                  URI:http://x2.c.lencr.org/

            X509v3 Certificate Policies:

                Policy: 2.23.140.1.2.1

                Policy: 1.3.6.1.4.1.44947.1.1.1

    Signature Algorithm: ecdsa-with-SHA384

         30:65:02:30:4a:89:e2:09:c5:0e:fc:bb:6c:4f:9f:86:e0:35:

         8f:f1:53:d3:c0:5f:c1:2e:98:52:b3:45:c6:3f:56:b4:b4:bb:

         f7:5e:c4:1d:05:5e:10:95:c5:ee:46:c6:11:88:e3:53:02:31:

         00:f8:b6:31:d2:c4:47:28:52:b4:84:84:9c:37:0d:56:64:89:

         bd:cb:80:6b:16:db:8c:54:f8:e1:74:f5:c3:e7:99:cf:4f:66:

         99:b4:60:a3:44:2b:d0:88:85:18:9b:fe:6b

```

int-e2.cert.pem.txt

```text

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            55:16:37:77:f4:32:11:39:63:1d:ac:6c:59:2f:e3:4d

        Signature Algorithm: ecdsa-with-SHA384

        Issuer: C = US, O = Let's Encrypt, CN = (FAKE) Let's Encrypt Root X2

        Validity

            Not Before: Sep  4 00:00:00 2020 GMT

            Not After : Sep 15 16:00:00 2025 GMT

        Subject: C = US, O = Let's Encrypt, CN = (FAKE) E2

        Subject Public Key Info:

            Public Key Algorithm: id-ecPublicKey

                Public-Key: (384 bit)

                pub:

                    04:b8:f3:3c:11:cf:55:8d:cd:d8:7e:db:1e:91:1f:

                    3e:0f:53:e4:ff:35:69:b7:9d:5c:cb:5a:ec:69:4c:

                    7f:64:c9:46:d0:95:0a:4e:e0:04:06:17:a7:25:bc:

                    a5:34:03:43:ca:47:3d:65:65:3e:9c:0a:7d:66:57:

                    77:e9:fa:24:ae:57:49:7b:5e:88:5c:ab:6d:67:e1:

                    b1:23:92:0d:c1:05:d7:3b:31:90:45:9f:d6:97:0c:

                    03:24:73:ad:2d:f9:76

                ASN1 OID: secp384r1

                NIST CURVE: P-384

        X509v3 extensions:

            X509v3 Key Usage: critical

                Certificate Sign, CRL Sign

            X509v3 Extended Key Usage:

                TLS Web Client Authentication, TLS Web Server Authentication

            X509v3 Basic Constraints: critical

                CA:TRUE, pathlen:0

            X509v3 Subject Key Identifier:

                E9:BE:44:E8:A5:D6:BE:35:7F:7E:93:02:72:6E:C6:D7:4B:43:F6:E3

            X509v3 Authority Key Identifier:


keyid:5B:BC:E1:46:F2:7B:A4:61:96:FA:28:A8:23:10:F5:BD:C2:CA:8F:E0

            Authority Information Access:

                CA Issuers - URI:http://x2.i.lencr.org/

            X509v3 CRL Distribution Points:

                Full Name:

                  URI:http://x2.c.lencr.org/

            X509v3 Certificate Policies:

                Policy: 2.23.140.1.2.1

                Policy: 1.3.6.1.4.1.44947.1.1.1

    Signature Algorithm: ecdsa-with-SHA384

         30:65:02:30:0e:ef:00:95:54:e2:36:9c:f2:7a:2b:a5:98:4d:

         d9:fc:d4:85:b6:31:75:3c:25:02:bb:91:33:93:9c:dc:14:5f:

         a6:16:a0:1b:e7:e4:53:01:76:f7:60:cc:74:9a:45:8c:02:31:

         00:e8:c5:d0:1e:d7:11:25:13:f1:ad:3b:b1:75:48:56:d3:bb:

         9c:e3:54:72:33:0f:bd:b1:47:f3:88:49:74:74:65:cf:f3:d6:

         73:54:ef:80:76:a2:fa:f0:9d:4c:01:1a:51

```

int-r3.cert.pem.txt

```text

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            99:84:df:97:40:a4:ee:80:26:4b:91:37:38:4c:54:f0

        Signature Algorithm: sha256WithRSAEncryption

        Issuer: C = US, O = Internet Security Research Group, CN = (FAKE)
ISRG Root X1

        Validity

            Not Before: Sep  4 00:00:00 2020 GMT

            Not After : Sep 15 16:00:00 2025 GMT

        Subject: C = US, O = Let's Encrypt, CN = (FAKE) R3

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                RSA Public-Key: (2048 bit)

                Modulus:

                    00:ad:4a:7e:29:b0:40:3f:5d:02:2a:e6:a0:61:36:

                    b5:53:da:9b:43:a9:a8:cc:77:cc:b3:42:1f:2c:45:

                    e5:be:ed:82:44:64:fa:f6:11:0b:55:b1:94:cb:c4:

                    ed:65:bd:80:cb:42:f6:10:53:42:bb:cd:d6:53:b1:

                    11:25:fc:87:63:e0:fa:17:92:a7:f0:11:a0:93:14:

                    51:94:c3:00:17:3d:57:43:84:c7:6a:28:0c:bf:b7:

                    ea:93:43:c1:55:f9:93:e8:b1:1d:99:de:8a:c1:ad:

                    51:73:f7:fe:a1:35:c1:d2:08:56:25:59:d7:e8:e4:

                    ca:a8:cc:e1:58:d7:d7:47:75:76:06:da:8a:1c:59:

                    75:e9:33:50:33:cb:8c:30:f3:c3:b4:85:e2:7d:64:

                    11:e0:61:b8:6c:52:37:97:d8:7f:f5:68:78:01:a2:

                    45:3b:6c:6d:01:5e:e4:da:db:a6:72:30:71:12:8d:

                    25:d0:3f:6f:ab:c7:bf:f2:90:0c:76:7e:d7:26:c6:

                    76:e7:f1:6c:b0:4b:50:46:c6:a5:ef:e3:80:5c:b7:

                    bc:6e:86:51:ee:a5:6f:bc:95:11:6b:63:74:07:54:

                    b5:6b:47:cc:05:83:9e:c6:64:ed:e6:2a:77:33:d9:

                    9f:1b:f3:6b:26:60:77:84:6c:c1:23:c7:bc:0c:53:

                    8e:dd

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Key Usage: critical

                Certificate Sign, CRL Sign

            X509v3 Extended Key Usage:

                TLS Web Client Authentication, TLS Web Server Authentication

            X509v3 Basic Constraints: critical

                CA:TRUE, pathlen:0

            X509v3 Subject Key Identifier:

                D6:05:53:D9:86:32:27:48:56:E3:2D:9A:68:C5:EA:E1:20:79:0F:C1

            X509v3 Authority Key Identifier:


keyid:A9:A3:DC:1E:01:BE:FF:0B:27:FB:85:3E:02:9E:51:2E:A9:2B:17:04

            Authority Information Access:

                CA Issuers - URI:http://x1.i.lencr.org/

            X509v3 CRL Distribution Points:

                Full Name:

                  URI:http://x1.c.lencr.org/

            X509v3 Certificate Policies:

                Policy: 2.23.140.1.2.1

                Policy: 1.3.6.1.4.1.44947.1.1.1

    Signature Algorithm: sha256WithRSAEncryption

         c4:d3:1e:e4:e7:ba:96:dc:0e:3d:d3:b2:43:c5:3f:da:7b:c3:

         e1:48:8e:c2:bd:9b:bf:2a:37:d8:0b:fb:d8:f4:0e:97:82:17:

         92:cc:b5:4c:15:2f:78:56:b3:70:63:21:60:c5:ad:1f:f8:13:

         0b:7b:e3:8e:bc:eb:94:cb:69:0b:b9:40:63:03:49:39:2e:ba:

         e2:dd:cb:a5:0d:e1:62:05:0c:b2:7a:40:10:cd:c4:5c:dc:e4:

         2e:da:5f:37:41:d1:79:03:85:a2:dd:0a:ec:dd:0d:7a:64:fb:

         5e:90:bc:4c:6b:95:af:4c:d0:94:e8:b4:ce:33:50:4f:6a:40:

         0e:38:94:e3:ed:8e:e1:26:3b:eb:8f:2b:a2:5a:34:64:2f:14:

         ed:0f:e7:94:0b:d1:8d:e6:ad:a8:88:4e:f4:27:14:71:b0:d3:

         b3:27:19:9d:27:1c:4f:53:c7:c8:3e:90:5b:1b:82:2e:76:bd:

         cc:92:c5:e0:22:ec:e0:de:7e:ec:de:f2:02:0d:a1:80:db:f6:

         86:47:cd:87:b5:92:bc:63:09:72:e3:23:c7:79:c8:7e:e2:dd:

         e1:e1:6a:c6:2e:c1:35:cb:7a:a6:b5:2e:2e:fe:54:99:25:b4:

         9f:dc:92:65:a4:ca:bb:54:16:63:ad:d6:6d:11:db:cb:4a:87:

         37:50:5a:3e:12:eb:5f:2d:cc:51:07:ef:df:97:da:a5:da:96:

         8a:9a:60:bf:fa:b7:68:c0:27:50:f8:83:7e:5c:26:9c:77:4d:

         ed:07:4b:be:85:85:40:95:2b:d9:f5:a6:58:c2:fd:28:2e:dc:

         06:86:67:70:a2:ad:86:5b:48:c8:d7:55:ba:18:40:b9:57:4d:

         f9:6c:00:5d:c2:ab:ec:8e:03:76:d6:9b:0f:ca:de:81:b7:66:

         52:5e:9a:17:b6:7b:6a:d1:04:8d:1d:b3:fe:d6:50:a1:60:03:

         38:f6:07:ed:70:3d:73:19:bf:ef:1f:c2:dc:b0:70:99:39:ac:

         71:91:13:ef:a5:cf:b7:64:a6:5b:29:b9:3d:92:a5:1f:c3:25:

         d6:2e:d5:e3:f5:14:70:33:57:38:14:67:5a:23:30:cf:0e:bc:

         6c:7a:b3:9e:e9:49:6f:58:b2:10:51:91:32:ee:16:cb:1a:8f:

         eb:be:ab:e2:ba:d2:c8:4a:f4:bd:f1:cc:a3:8d:a5:fd:a7:d0:

         77:e2:c7:04:a9:47:93:56:42:fc:58:48:32:02:35:40:02:9b:

         1d:ae:f7:24:d9:39:01:c5:66:78:60:74:a9:92:fa:07:10:e3:

         94:e7:15:ff:63:0d:ad:6d:3c:a4:cf:10:a2:83:e5:f6:7f:56:

         ac:83:5c:3d:1f:f0:82:14

```

int-r4.cert.pem.txt

```text

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            25:5e:9c:00:20:eb:9d:1c:29:d2:fb:f1:89:04:77:c1

        Signature Algorithm: sha256WithRSAEncryption

        Issuer: C = US, O = Internet Security Research Group, CN = (FAKE)
ISRG Root X1

        Validity

            Not Before: Sep  4 00:00:00 2020 GMT

            Not After : Sep 15 16:00:00 2025 GMT

        Subject: C = US, O = Let's Encrypt, CN = (FAKE) R4

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                RSA Public-Key: (2048 bit)

                Modulus:

                    00:d4:c3:84:ce:00:e7:76:34:d5:2a:bb:e4:95:4e:

                    bc:52:a2:b2:9a:29:9c:56:5b:b9:a4:f0:07:9a:4f:

                    29:55:7a:97:97:12:78:f8:00:8c:d1:2b:de:6a:0d:

                    be:d0:5b:b4:74:c3:73:d7:e7:7b:da:bc:1b:72:0d:

                    30:7c:3a:3b:4f:25:c2:4d:1d:fc:60:21:c7:dd:b9:

                    a0:e2:fb:65:9f:e9:aa:ed:01:d4:bd:5a:aa:ce:2b:

                    51:ae:97:39:5d:cc:b2:42:30:40:17:91:3c:8e:d8:

                    b0:16:b9:16:e0:e8:30:ad:f2:9e:6b:1a:49:a6:9a:

                    19:6f:bf:41:24:d7:98:bb:6c:85:52:4b:1e:a9:58:

                    e9:e1:9a:83:4b:a9:14:6a:c3:5d:4c:45:68:30:10:

                    bd:45:ff:6d:3d:08:fe:88:c5:d6:7d:d1:74:6b:f8:

                    57:c2:e8:3f:34:42:fa:c2:f4:58:e6:05:88:c7:ea:

                    e6:17:a2:fd:32:72:4b:a4:2e:6e:85:51:8b:f4:d7:

                    3e:d3:a7:f9:d9:f5:c6:bc:dd:63:1f:ef:26:b0:98:

                    b3:a4:b1:f9:b2:b2:9b:9f:34:c8:75:29:e0:88:78:

                    75:fe:c9:7e:a7:5c:c0:a0:5f:d6:fd:15:0f:3b:0f:

                    ca:03:3d:b8:50:19:93:a1:74:ac:52:5c:f9:cf:82:

                    75:89

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Key Usage: critical

                Certificate Sign, CRL Sign

            X509v3 Extended Key Usage:

                TLS Web Client Authentication, TLS Web Server Authentication

            X509v3 Basic Constraints: critical

                CA:TRUE, pathlen:0

            X509v3 Subject Key Identifier:

                77:52:2C:3B:1F:BE:4B:22:EB:22:14:21:16:47:40:AA:F9:4C:C5:C4

            X509v3 Authority Key Identifier:


keyid:A9:A3:DC:1E:01:BE:FF:0B:27:FB:85:3E:02:9E:51:2E:A9:2B:17:04

            Authority Information Access:

                CA Issuers - URI:http://x1.i.lencr.org/

            X509v3 CRL Distribution Points:

                Full Name:

                  URI:http://x1.c.lencr.org/

            X509v3 Certificate Policies:

                Policy: 2.23.140.1.2.1

                Policy: 1.3.6.1.4.1.44947.1.1.1

    Signature Algorithm: sha256WithRSAEncryption

         11:e3:c8:53:c6:91:a4:cd:fc:00:6b:ec:12:36:4a:4d:58:43:

         c4:60:e4:5e:95:83:f9:dd:2f:f0:34:b5:ed:77:7e:22:7c:db:

         a6:e9:a9:fa:40:b2:db:55:14:3a:d6:2e:f8:9a:a4:c3:e9:aa:

         bc:69:9d:4c:27:84:fa:e4:b5:61:72:f3:91:58:ce:45:78:9a:

         17:32:16:55:f0:a5:1d:89:75:08:11:66:c8:78:fe:71:05:99:

         3a:0b:db:11:d9:92:59:45:ff:4c:4b:6b:1c:24:4d:a4:43:f8:

         4f:5b:f0:d9:80:c0:56:78:27:8b:94:bd:2c:c1:75:89:65:c0:

         04:9f:ba:3f:1b:db:6a:a3:fd:e7:48:8f:49:dc:0d:9f:11:9b:

         53:8e:e1:ea:87:81:72:20:16:d2:55:b1:da:13:ed:8c:b3:76:

         1f:35:c4:3b:12:1a:29:7d:73:f4:55:1d:06:bd:53:de:6d:a9:

         33:73:5c:96:cc:38:1f:66:4e:9b:d4:88:38:33:9c:bb:20:33:

         0e:db:2d:a2:03:fa:8f:8a:7e:7c:29:a2:d3:9c:28:d5:31:81:

         07:ab:f8:8c:3d:f9:ad:1c:c5:c8:85:86:d8:ad:67:dd:de:e4:

         eb:73:18:c0:12:5d:7d:87:b9:ea:ab:25:74:48:39:ba:b5:b8:

         04:ea:d1:92:23:96:c7:97:6c:0a:7e:32:f0:76:0d:1a:80:e5:

         63:3a:86:86:60:65:8c:61:f1:cd:a1:61:f7:7e:80:92:dd:44:

         92:e7:82:0f:1b:d9:61:ea:f9:92:f2:65:dd:40:1f:c8:a1:2a:

         f5:55:95:f4:29:85:fa:ad:03:24:e9:09:39:80:b0:05:b8:9b:

         a3:59:b8:52:b9:4a:ef:9f:59:e3:57:72:29:fe:3e:bd:46:55:

         19:af:5d:61:96:7d:be:ce:1f:e0:aa:51:8f:c8:dc:27:10:a8:

         aa:d6:61:41:fc:3e:e4:cb:86:54:0a:4b:60:f6:27:18:b5:70:

         17:94:b7:00:07:6d:6b:95:db:e4:28:8a:fa:5e:9c:76:a3:a5:

         45:7d:9d:ca:4b:c6:2f:84:91:7a:09:7a:8c:8a:db:b5:20:10:

         cf:7f:7a:90:48:8d:6e:47:a4:03:d4:19:65:49:a5:96:49:e9:

         e2:1d:af:a1:e2:5e:a0:4c:25:39:c3:8c:b6:01:1c:4b:3b:be:

         41:6b:4d:28:b0:e3:fc:01:a7:e8:0e:f1:38:2e:3c:a3:25:e2:

         c7:83:4c:4b:f8:95:98:91:08:ae:90:56:48:db:96:69:57:44:

         5a:4d:b8:42:3e:5e:38:f3:3f:73:02:b9:44:7d:0f:71:fd:56:

         70:1c:da:04:9f:8b:20:ce

```
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
  • Plans for new ECDSA root and... Jacob Hoffman-Andrews via dev-security-policy

Reply via email to