In anticipation of Let’s Encrypt dropping Must-Staple support on May 7th and OCSP 3 months later, our services previously using OCSP stapling and Must-Staple have been moved to the Let’s Encrypt tlsserver profile made publicly usable a couple weeks ago.

https://community.letsencrypt.org/t/removing-ocsp-urls-from-certificates/236699

The tlsserver profile drops support for OCSP early along with various legacy features. The upcoming shortlived profile is based on the tlsserver profile with validity reduced from 90 days to 6 days, so we can now smoothly migrate to shortlived as soon as it’s made available for us to use.

OCSP stapling with Must-Staple was the best path forward for working certificate revocation checks but had poor adoption. OCSP responses with signed revocation data for a certificate from the Certificate Authority generally had several days of validity. 6 day validity certificates sidestep all this.

We have 2 special case services which did not use OCSP stapling with Must-Staple and are still using the default Let’s Encrypt profile: SUPL and SMTP. Older generations of end-of-life Qualcomm Pixels didn’t support SNI for SUPL in the Qualcomm cellular radio TLS stack. Some mail servers still don’t.

We can drop this workaround for SUPL once we decide to drop service support for older generation Qualcomm Pixels. Qualcomm did eventually add SNI support for SUPL and it’s available on 5th gen Pixels but not 4th gen Pixels. For SMTP, we do require TLS1.2+ but SNI wasn’t mandatory until TLSv1.3.