Let’s Encrypt’s Root Certificate Has Expired

On September 30th, the DST Root CA X3 cross-sign has expired and has been replaced with the "ISRG Root X1" self-signed root, which is also trusted by the major browsers and root stores.

08 October 2021

Have you noticed?

If you run a typical website, you probably won’t notice a difference. According to Let’s Encrypt post, the vast majority of website visitors will still accept Let’s Encrypt certificate. “If you provide an API or have to support IoT devices, you might have to pay a little more attention to the change,” says article.

For quite sometime now (over 5 years) Let’s Encrypt used a root certificate called ISRG Root X1,  and most modern browsers and devices trust the Let’s Encrypt certificate. However, older devices that no longer receive updates would not recognise it, therefore a “cross-signature” from an older root certificate DST Root CA X3 was used.

Now that DST Root CA X3 has expired older devices will start getting certificate warnings when visiting sites that use Let’s Encrypt certificates (with an exception of old Android devices). 

Read more: DST Root CA X3 Expiration (September 2021) by Let’s Encrypt team.