Getting the CA into "The List In The Browsers"


At some point the root CA for Let’s Encrypt will need to be added to “The List In The Browsers” so that people can get that warm fuzzy feeling that comes from a green padlock in their URL bar. As a Mozilla-sponsored project I expect the first target browser would be Firefox. I had a quick look over on Bugzilla for the preliminary discussion relating to adding this root CA and didn’t find anything.

My question: As a new kind of CA which is perhaps the first to be entirely gratis and automatic, has there been a discussion about whether this CA would be acceptable to add to the list of trusted CA embedded in browsers and operating systems? If this discussion is already going on, can someone provide a link?


We will start the process of applying to all major root programs (e.g. Mozilla, Google, Microsoft, Apple, Oracle) soon. We intend to see our root trusted directly by the vast major user agents.

While we work on that our root will be cross-signed by IdenTrust.


There are already CAs providing free certificates (like StartSSL or WoSign), though not fully automated. AFAIK, pricing and automation are no matter for organizations like the CA/Browser Forum. It might be more important how the CA operation is protected (remember DigiNotar…) :wink:


As far as I know the green color is for EV certificates, which Let’s Encrypt specifically doesn’t support. For instance, in Firefox 39-ish running on Fedora, displays the grey padlock. That’s what I understand, however. If the staff or anyone more knowledgeable care to comment…

EDIT: just tested with Google Chrome, which does, indeed, displays the green padlock for


The green padlock with green https text is the normal DV, OV certificate visual cue from Google Chrome, eg:

The green BLOCK with the entity’s name, and green padlock, is EV certificate’s visual cue from Google Chrome, eg:

I think what @jwal was referring to was the standard green padlock, green https text that comes from normal DV/OV certificates.


Just to be clear for people who aren’t familiar with cross-signatures, the cross-signature means that IdenTrust (an existing root CA) approves us as a CA, and therefore our certificates will be accepted automatically by browsers. For this purpose, we don’t need a new agreement with the browser developers and they don’t need to manually add us to a root CA list. The cross-signature lets the browsers accept our certs on the basis of their existing trust in IdenTrust’s root.