DST Root CA X3 expire 2021

The DST Root CA X3 from IdenTrust which leads to trust for Let´s Encrypt in desktop and mobile browsers expire at 30.09.2021.

The own root certificate from letsencrypt is to new to be trusted from the majority of browsers and devices.

What is the idea for compatibility after this date? Especially for websites that have to ensure that customers can use their sites even with older equipment.

Amazon made a good deal with buying Starfield and their root - expiring 01.01.2038 - and trusted even in Windows XP SP3.

Is something similar in prospect for LE? Is IdenTrust holding another old root certificate?

I be aware of this thread. But there is no answer to my question.


What do you expect since LE is a FREE certificate authority

Thank you.

So… the question isn’t valid? Or he shouldn’t expect an answer?

I personally think the previous post clearly explains what will happen.

And to his question, (compatibility), he might want to find a “paid” CA. or simply use Cloudflare for his frontend SSL and LE for connections.

(Which in the following case he was suggesting LE should get/buy a durable and reliable CA cert)

(If this is the case, why not find a CA that was started since the beginning of Internet?)

When DST epired, Windows Vista will be the “older” equipment.(Since at that point XP was EOL for 6 years)

I see no reason to believe that Let’s Encrypt are definitely dropping XP support in 3 years.

If cross-signing is still required for compatibility reasons, then, as already mentioned, Identrust has other certificates available. After all, rotation of intermediates is a fairly routine matter, and the current Let’s Encrypt X3 intermediate will be expired before the DST root is.

Cloudflare only works with SNI - therefore not on old visitor-hardware. And they have other restrictions on the issues of testing new technologies, so that they later work for business accounts.

Do you blame Let´s Encrypt for choosing such an old root for cross-signing. The DST Root CA X3 is from 2000 - near at the beginning of active usage of the Internet.

The Starfield for instance is from 2008. A wide range of root certificates from big CAs are issued around 2008.

But you think the LE Root is to old?

Perhaps you read my post and figure out the actual question.

And think twice: the target of LE is not only to be there for hobby projects, Owncloud, Nextcloud, private picture gallerys, internet routers .... The mission is "to get to a 100% encrypted Web".

Read some statements from them. Really do that.

And there fast growing market share at DV certificates will have consequencences ...
Can a CA live on EV and OV certificates? Journals in my country say no.

And another cash cow the wildcard market beginns to disappear in some days.

Oh I think you don´t need to earn your money (Sorry if I am wrong). LE is not free, it costs money but not your money it´s the money from them. Or would you work for free? Consider you have to pay your rent ...

And because LE is free for you and for me, it´s not allowed to ask a question? Just Sponsors should be allowed to ask questions?

IdenTrust has two others. Both starting 2014, the root from LE started 2015, so cross-signing makes no sense.

Issuing a certificate means not trusting. The 2015 LE Root for instance is trusted in Firefox since August 2016.

And when starts the ECC-Root? When it will be issued? It was planned to generate it in 2015.

It would be nice if an engineer oder a moderator can make a statement.

Hi @fnso,

I think your question is legitimate, but I think it’s too early to be sure of what options are available to Let’s Encrypt, in terms of which roots may be available to sign a future LE intermediate, and how much backward compatibility can be achieved. Nor do I think it’s too early to ask the question—but it might be too early to answer the question.

I’ll invite @josh to comment on this, but I wouldn’t be surprised if the answer is “we’ll have to continue researching and discussing this before making an announcement”.

I think being aware of upcoming events that can affect software compatibility is very useful; after all, we don’t want to be taken by surprise with little or no time to act.


Ok. Thank you. I am glad about your honesty and your response. That forms a good basis for trust.

I am planning to use Let´s Encrypt from autumn.

When I look at the Google root certificates, they use for cross signing, I think this is a good example in relation to compatibility.

The question whether you find a CA that be willing … In ten years the problem is solved of its own.

I wish you all the best.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.