Description
Starting May 13 2026, TLS certificates used to connect to Confluent Cloud will start using new intermediate certificates provided by Let's Encrypt. Let's Encrypt is making some changes to its certificates by adding new root Certificate Authorities (details are available here) and reducing certificate lifetime (details are available here). As a result, new intermediate certificates will be used after May 13th, 2026. They are intermediate certificates YR1 and YR2. Their details can be found here, along with the current ones.
Clients who have pinned the intermediate certificates will be affected. They will not be able to connect to Confluent Cloud once their cluster's certificates are renewed with one of the new intermediate certificates after May 13th, 2026 following Let's Encrypt's change.
Certificate-pinning is strongly discouraged because it can result in loss of service availability. Let’s Encrypt is working to make it more and more difficult over time to pin intermediates in order to further discourage this practice. Most certificate store configurations won't employ pinning, so the majority of Confluent Cloud customers will not be impacted by this change. More info is available in Confluent Cloud documentation.
Applies To
All clients which connect to Confluent Cloud.
What do you need to do?
No action is needed if you haven't pinned intermediate certificates per Confluent Cloud documentation. However, if you've pinned intermediate certificates, you need to update your clients' certificates before May 13th and remove the intermediate certificate pinning.
We’re here to help
For any questions or concerns please contact Confluent Technical Support.
