Before you begin

For the Domain Validated (DV) SAN certificates issued by Let’s Encrypt, you can select one of the trust chain options supported by Let’s Encrypt, or leave the selection blank.

CPS includes the selected trust chain with the leaf certificate in the TLS handshake. If you don’t select any of the options, the trust chain defaults to R3 + ISRG Root X1 (signed by DST Root CA X3). In the near future, the default will change to R3 (signed by ISRG Root X1). For more information on the planned default change date, see Trust chains for DV SAN certificates issued by Let’s Encrypt community page.

The currently recommended R3 + ISRG Root X1 (signed by DST Root CA X3) trust chain supports older Android devices (prior to version 7.1.1).

R3 (signed by ISRG Root X1) is the more modern and smaller trust chain. It’s recommended for customers who want the fewest number of bits sent on the wire in TLS handshakes, or to support API traffic, or any application using OpenSSL 1.0.x (and forks of this version). Only Android devices with version higher than 7.1.1 support this trust chain.

If you need to support both older Android devices and OpenSSL, you are encouraged to split your traffic by hostname and provision two separate certificates. Third-party certificates are also an option. If you have control over the end-user devices running older Android versions, install the Firefox web browser which works with either chain. For more information, see Trust chains for DV SAN certificates issued by Let’s Encrypt.

How to

Select one of the trust chain options available, or leave the field blank to apply the default trust chain.

Next steps

Continue to Review your choices and submit the request.