ISRG Root X2 Submitted to Root Programs

For now you have to request be allow-listed for ECDSA, see:

2 Likes

OK, I think I understand you now.
I think that any new certs must now be avoiding the soon to be expiring DST Root CA X3.
But your browser may still show it (while it is still valid).

3 Likes

Mozilla has started the public discussion phase regarding the inclusion of ISRG Root X2:

https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/D8coPL0eU3k/m/bE_aRuWxCAAJ

This is an important step in Mozillas inclusion process.

7 Likes

The public discussion at Mozilla is over, the current status is "Intent to Approve":
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/D8coPL0eU3k/m/t1JxqeZ8AwAJ

9 Likes

The ISRG Root X2 certificate has been formally accepted by Mozilla, and should appear in the next NSS release.
NSS inclusion request: 1738805 - Add ISRG Root X2 root certificate to NSS

13 Likes

Hopefully beginning of 2022 we can start using X2

3 Likes

Is there any public status available for the Apple, Google, and Oracle root programs?

5 Likes

I haven't seen any kind of "publicy visible inclusion process" for most root programs (well, except Mozilla). If there is I would like to know as well.

The current status as I can verify it is:

6 Likes

@lestaff

I know you're busy and not everyone is available at all times, but you're aware that Mozilla is currently blocked waiting for your input?

7 Likes

We are aware of this, thank you.

6 Likes

Root X2 seems to have been included in the Microsoft and Google root programs at some point recently. Can't say exactly when for lack of transparency in their processes.

2 Likes

while I don't know about MS root, ISRG root X2 didn't land on android 12, as they only do CA store update on android release I think it'd be like android 13 or somthing until it will land on android.
https://android.googlesource.com/platform/system/ca-certificates/+/8db75df6bd335760ddb36db92463ce2d236d3916
there is no ISRG update there and if you look up newest commit you will find no ISRG root x2 in there too.

5 Likes

Microsoft including ISRG Root X2 has been reported already:

About Google:

That's a bit complicated, because there is no uniform "Google Root Program". There are various trust stores used on their products, for example the trust store used on Android. Censys lists "Google CT" under trust, which are the certificates accepted by their CT log backends. The latter seems to include ISRG Root X2 now, yes. I imagine that these trust stores are run independently by independent departments.

There's a root program run by Google, the Chrome Root Program. But that is still in development and little is known about it.

6 Likes

ISRG Root X2 certificate was just committed in NSS, so should be included in Firefox soon.

6 Likes

Wonderful news! Correct me if I'm wrong, it looks like it'll arrive in the next branch release of NSS on 1/6/2022 in v3.74, meaning it'll land in Nightly immediately after and Firefox 97 stable on February 8.

1 Like

Yes, that's how it's documented here: NSS:Release Versions - MozillaWiki

1 Like

Firefox 97 was released today and the shown certificate chain of https://valid-isrgrootx2.letsencrypt.org ends now at ISRG Root X2. Looks good.

11 Likes

Overall status update:

ISRG Root X2 is included in:

  • NEW Apple: ISRG Root X2 is now included in Apple trust stores when running macOS 12.3 or higher (source)
  • Google (Chrome): An update to the Proposed Root List somewhere in early 2022 started to include ISRG Root X2 as part of roots included at launch. AFAIK, the Chrome Root Program/Store is still not live, but Google has plans to launch it later this year.
  • Mozilla (Firefox/NSS): ISRG Root X2 is included as of Firefox 97 (see news above in this thread)
  • Microsoft: Windows distributes ISRG Root X2 since 2021 (see above). However due to path building specifics & lazy loading issues it may not show up in your system.

ISRG Root X2 is not yet included in:

  • Oracle (Java): Latest OpenJDK sources do not include ISRG Root X2 yet .
  • Android: AFAIK, there is no formal Android root program. However, Google does maintain a system trust store for its operating system (it's unknown to me from which program this is sourced from). Sources available from AOSP (corresponding to Android 12) do not appear to include ISRG Root X2.

Note that even if a root is included somewhere it takes years before these updates have reached (almost) all users.

14 Likes

A post was split to a new topic: Creating intermediate certificate

Unfortunately, ISRG Root X2 is not yet present in Android 13, either (released in August 2022).

4 Likes