Document chains inline with active intermediates #2124
Merged
+26
−16
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
aarongable
force-pushed
the
gen-y-chains
branch
from
6492512 to
7da9160
Compare
mcpherrinm
approved these changes
Jan 8, 2026
Contributor
mcpherrinm
left a comment
mcpherrinm
left a comment
There was a problem hiding this comment.
LGTM, though I have one suggestion that I think might look a bit nicer.
Contributor
Author
|
Tidied up how defaults are indicated and fixed a couple mistakes I found at the same time. |
mcpherrinm
approved these changes
Jan 9, 2026
ghen2
reviewed
Jan 9, 2026
| Sometimes there's more than one valid chain for a given certificate: for example, if an intermediate has been cross-signed, then either one of those two certificates could be the second entry, "chaining up to" either of two different roots. In this case, different website operators may want to select different chains depending on the properties that they care about the most. | ||
|
|
||
| Subscriber certificates with RSA public keys are issued from our RSA intermediates, which are issued only from our RSA root ISRG Root X1 (i.e. they are not cross-signed). Therefore, all RSA subscriber certificates have only a single chain available: | ||
| Each of the active intermediates above documents which chain is offered by default, and which (if any) additional chains may be requested by ACME clients. In general, chains which terminate at ISRG Root X1 have the largest size but also the greatest compatibility with older clients. Chains which terminate at ISRG Root X2 (only offered for ECDSA certificates) are smaller, but will only work with clients that have received an update to their trust store after 2022 or so. Chains which terminate at Root YE or Root YR will are not expected to work with any of the major trust stores, as those roots have not yet been incorporated. |
Contributor
There was a problem hiding this comment.
"will are not expected to work" (double auxiliary verb).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The chains documentation had gotten out of date because it is down at the bottom of the doc where its easy to miss. Move the listing of the actual chains we offer inline with the active intermediates. Update the prose documentation at the bottom of the article to be more future-proof.