Inclusion of ISRG Root


I would like to create a thread here to discuss how inclusion to the different Trusted CA Programs is going.

So, here is the link for inclusion to the Mozilla CA Program:

@jsha How are things going with Microsoft and Apple Root CA inclusion?

Browser/OS vendors with ISRG root in their root certificate stores

@josh is the one working on root program inclusion. Josh, can you comment on the status of our Microsoft and Apple Root Program applications?


We’ve applied to the MS and Apple root programs, haven’t heard much from them. I think the issue is that we haven’t published our full operational WebTrust audits yet, they’ll be out soon and then I’ll check in again.


According to Will the cross root cover trust by the default list in the JDK/JRE? you have also applied to the Oracle root program.

In many ways that’s more important because Java doesn’t trust the cross signed root either :frowning:


From @avi


Following my conversation with BlackBerry CEO John Chen yesterday, I received a message from a senior product manager at BlackBerry who is responsible for security product management. He thanked me for bringing this to their attention and says they have reached out to Let’s Encrypt to commence execution of their root certificate integration agreement. They are preparing a new build of their BlackBerry 10 software for Q2 release which the root certificates could be added to. They’re also willing to add the required certs to their custom Android build, which runs the BlackBerry Priv phone. Good news all around – I look forward to seeing Let’s Encrypt recognized by BlackBerry.

Blackberry - untrusted
Browser/OS vendors with ISRG root in their root certificate stores

@josh Now that the full WebTrust audits are already published, how exactly is the application to Microsoft, Apple and Oracle certificate programs going for the ISRG Root X1? What have they responded to you, if you have already sent them the full audits?


@jsha Can you please ping @josh ?


@Jason, please be patient. Root program inclusion takes a long time.


Not for the root inclusion, but for the information that I requested above actually.


Good News in
They switched to the next phase :slight_smile:


Did @jsha @schoen @josh or another LE ops see that message : ?

Kathleen Wilson (Mozilla) said about :

I need a test website whose SSL cert chains up to the root cert to be included.

(The current configuration doesn’t match that: can only find certificate with DST X3 loaded)


Since is still using X1 intermediate it should be easy to add the X1 intermediate signed by ISRG Root X1 to the certificate chain without the need to bring online the root key with a key ceremony.
The root key have to be brought online before May 23 12:00:00 2016 GMT in order to sign the up-to-date CRL (see Signing of the new intermediates). In that date I suppose the root will sign the X3 and X4 intermediates.
The leaf certificate for expire on 29 May 2016 and if it will be renewed 30 days before (i.e. April the 29th, with the X3 intermediate) there will be no test site chaining to ISRG Root X1 between the renewal date and the key ceremony.
In order to always have a test site for the inclusion process I suggest either to delay the automatic renewal of the test site until the key ceremony or to have the key ceremony before the end of April.


Yep, we saw it and we’re going to be configuring helloworld to serve the ISRG Root X1-signed intermediate instead of the DST Root X3-signed intermediate. Thanks for pointing it out!

Problem with Root Inclusion

@jsha Why instead? Just send both.


@jsha I believe there is two unanswered questions in!topic/ , is there someone in charge to answer them? To quote the Mozilla representative Kathleen Wilson : “A representative of this CA must promptly respond directly in the discussion thread to all questions that are posted”


I only see one actual question, “answered” (with a question, which makes sense, because the question isn’t very forthcoming) by Richard Barnes, who is affiliated with Let’s Encrypt.


I was talking about the questions by and Richard Barnes, but as Richard Barnes is affiliated with LE, my question is pointless.

Sorry, the affiliation of Richard Barnes with Let’s encrypt was not explicit (No signature and the email used was


Richard Barnes confirmed he do not talk is the name of Let’s Encrypt :

So there is two unanswered question:

Referring to the bug tracker entry, where was a recent violation of BR How will ISRG handle that in future? from


Could you provide more details of this violation, please? from Richard Barnes.

According to :

A representative of the CA whose root inclusion request is being discussed must clearly represent their employer and must promptly respond directly in the discussion thread to all questions that are posted.

(emphasis mine) and (Is that you, @jsha ?) answered two times in that forum. Probably as a representative of Let’s Encrypt. I believe the use of the should be prefered, to indicate the representation of the CA, or at least add it in the signature of the message. (Which, by the was, was not signed, and truncate emails…)

About the issue mentioned by, I believe it was about that: (Even if it’s unclear that there was a violation of the BR)


Richard’s question is in reply to, it’s not a question for Let’s Encrypt. I think it’s fair enough to ask to clarify what the question is about since it doesn’t contain any details. It’s a public, informal discussion, so I don’t think we’ll need to insist that the CA has to repeat the request for clarification when someone else has already done that.