Are we currently waiting for Microsoft to trust ISRG Root X2?

Hello guys,

I remember that SRG Root X2 was originally planned to be launched in January, but it is already in March.

I noticed that Microsoft still does not trust the Self-signed ISRG Root X2. Are we currently waiting for Microsoft to trust ISRG Root X2?

ISRG Root X2 (EC) has a variant that is signed by ISRG Root X1 (RSA). see Chain of Trust - Let's Encrypt - Free SSL/TLS Certificates

It results in a larger fullchain file, but I haven't seen any known compatibility issues. From what I understand, the introduction of X2 is waiting on a lot of infrastructure and code enhancements that are necessary for deployment.

I know, but I am more interested in a 100% ECDSA certificate chain.

Interestingly, Microsoft, Firefox, and Debian (ca-certificates) currently do not trust ISRG Root X2. It seems that it will take a while for 100% ECDSA certificate chain.

Each root program has different requirements for requesting inclusion. I believe Microsoft requires a test site(s) that chains to the root like

When the infrastructure changes are complete, the Let’s Encrypt team will be able to issue the test certificates for those sites and submit the root for inclusion in all major root programs.


Sorry, I misread your question. I thought you were asking if the X2 Root deployment was being held back for Microsoft.

The official position of ISRG has been that it will take 5 years for the X2 Root to be widely trusted. Their staff have reiterated this in many posts, and it appears in the organizations official Annual Report (see below).


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.