[Cloudflare - Action Required] Upcoming Let's Encrypt certificate chain change ([Cloudflare - 需要采取行动] 即将进行的 Let's Encrypt 证书链更改)

Upcoming Let's Encrypt certificate chain change


We are reaching out to inform you about an upcoming change that will impact the device compatibility of Let’s Encrypt certificates issued after May 15th, 2024. We are reaching out to you because we identified that you are currently using Let’s Encrypt certificates through Universal SSL, Advanced Certificate Manager, Custom Certificates, or SSL for SaaS. We recommend that you familiarize yourself with the Let’s Encrypt change and make any necessary adjustments ahead of time.

Change Overview

Let’s Encrypt issues certificates through two chains: the ISRG Root X1 chain and the ISRG Root X1 chain cross-signed by IdenTrust’s DST Root CA X3. The cross-signed chain has allowed Let’s Encrypt certificates to become widely trusted, while the pure chain developed compatibility with various devices over the last 3 years, growing the number of Android devices trusting ISRG Root X1 from 66% to 93.9%.

Let’s Encrypt announced that the cross-signed chain is set to expire on September 30th, 2024. As a result, Cloudflare will stop issuing certificates from the cross-signed CA chain on May 15th, 2024.


The expiration of the cross-signed chain will primarily affect older devices (e.g. Android 7.0 and earlier) and systems that solely rely on the cross-signed chain and lack the ISRG Root X1 chain in their trust store. This change could result in certificate validation failures on these devices, potentially leading to warning messages or access problems for users visiting your website.

Impact to certificates issued through Universal SSL, Advanced Certificate Manager, or SSL for SaaS:

To prepare for the CA expiration, after May 15th, Cloudflare will no longer issue certificates from the cross-signed chain. Certificates issued before May 15th will continue to be served to clients with the cross-signed chain. Certificates issued on May 15th or after will use the ISRG Root X1 chain. Additionally, this change only impacts RSA certificates. It does not impact ECDSA certificates issued through Let’s Encrypt. ECDSA certificates will maintain the same level of compatibility that they have today.

Impact to certificates uploaded through Custom Certificates:

Certificates uploaded to Cloudflare are bundled with the certificate chain that Cloudflare finds to be the most compatible and efficient. After May 15th, 2024, all Let’s Encrypt certificates uploaded to Cloudflare will be bundled with the ISRG Root X1 chain, instead of the cross-signed chain. Certificates uploaded before May 15th will continue to use the cross-signed chain until that certificate is renewed.

Important Dates

May 15th, 2024: Cloudflare will stop issuing certificates from the cross-signed CA chain. In addition,  Let’s Encrypt Custom Certificates uploaded after this date will be bundled with the ISRG X1 chain instead of the cross-signed chain.

September 30th, 2024: The cross-signed CA chain will expire.


To reduce the impact of this change, we recommend taking the following steps:

Change CAs: If your customers are making requests to your application from legacy devices and you expect that this change will impact them, then we recommend using a different certificate authority or uploading a certificate from the CA of your choice.

Monitoring: Once the change is rolled out, we recommend monitoring your support channels for any inquiries related to certificate warnings or access problems.

Update Trust Store: If you control the clients that are connecting to your application, we recommend upgrading the trust store to include the ISRG Root X1 chain to prevent impact.

If you have any questions, we recommend that you refer to our Developer Documentation or blog post regarding this change.  If you are an Enterprise customer and have additional questions or concerns, please reach out to your Account Team.


即将到来的 Let's Encrypt 证书链变更


我们与您联系是为了通知您即将发生的更改,该更改将影响 2024 年 5 月 15 日之后颁发的 Let's Encrypt 证书的设备兼容性。我们与您联系是因为我们发现您当前正在通过通用 SSL、高级使用 Let's Encrypt 证书 证书管理器、自定义证书或适用于 SaaS 的 SSL。 我们建议您熟悉 Let’s Encrypt 的变更并提前进行必要的调整。


Let’s Encrypt 通过两条链颁发证书:ISRG Root X1 链和由 IdenTrust 的 DST Root CA X3 交叉签名的 ISRG Root X1 链。 交叉签名链使 Let’s Encrypt 证书得到广泛信任,而纯链在过去 3 年中开发了与各种设备的兼容性,使信任 ISRG Root X1 的 Android 设备数量从 66% 增加到 93.9%。

Let’s Encrypt 宣布交叉签名链将于 2024 年 9 月 30 日到期。因此,Cloudflare 将于 2024 年 5 月 15 日停止从交叉签名 CA 链颁发证书。


交叉签名链的过期将主要影响较旧的设备(例如 Android 7.0 及更早版本)和仅依赖交叉签名链且在其信任存储中缺少 ISRG Root X1 链的系统。 此更改可能会导致这些设备上的证书验证失败,从而可能导致访问您网站的用户出现警告消息或访问问题。

对通过通用 SSL、高级证书管理器或适用于 SaaS 的 SSL 颁发的证书的影响:

为了应对 CA 过期做好准备,5 月 15 日之后,Cloudflare 将不再从交叉签名链颁发证书。 5 月 15 日之前颁发的证书将继续通过交叉签名链提供给客户。 5 月 15 日及之后颁发的证书将使用 ISRG Root X1 链。 此外,此更改仅影响 RSA 证书。 它不会影响通过 Let’s Encrypt 颁发的 ECDSA 证书。 ECDSA 证书将保持与当前相同级别的兼容性。


上传到 Cloudflare 的证书与 Cloudflare 认为最兼容、最高效的证书链捆绑在一起。 2024 年 5 月 15 日之后,上传到 Cloudflare 的所有 Let’s Encrypt 证书都将与 ISRG Root X1 链捆绑,而不是与交叉签名链捆绑。 5 月 15 日之前上传的证书将继续使用交叉签名链,直到该证书得到更新。


2024 年 5 月 15 日:Cloudflare 将停止从交叉签名的 CA 链颁发证书。 此外,在此日期之后上传的 Let’s Encrypt 自定义证书将与 ISRG X1 链捆绑在一起,而不是与交叉签名链捆绑在一起。

2024 年 9 月 30 日:交叉签名的 CA 链将到期。



更改 CA:如果您的客户从旧设备向您的应用程序发出请求,并且您预计此更改会影响他们,那么我们建议使用不同的证书颁发机构或从您选择的 CA 上传证书。


更新信任存储:如果您控制连接到应用程序的客户端,我们建议升级信任存储以包含 ISRG Root X1 链以防止影响。

如果您有任何疑问,我们建议您参阅有关此更改的开发人员文档或博客文章。 如果您是 Enterprise 客户并有其他问题或疑虑,请联系您的客户团队。