ISRG Root X2 Submitted to Root Programs

Nummer378 · September 20, 2021, 5:20pm

Mozilla has started the public discussion phase regarding the inclusion of ISRG Root X2:

https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/D8coPL0eU3k/m/bE_aRuWxCAAJ

This is an important step in Mozillas inclusion process.

ghen · October 16, 2021, 11:01am

The public discussion at Mozilla is over, the current status is "Intent to Approve":
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/D8coPL0eU3k/m/t1JxqeZ8AwAJ

ghen · November 2, 2021, 2:34pm

The ISRG Root X2 certificate has been formally accepted by Mozilla, and should appear in the next NSS release.
NSS inclusion request: 1738805 - Add ISRG Root X2 root certificate to NSS

saudiqbal · November 2, 2021, 6:54pm

Hopefully beginning of 2022 we can start using X2

petercooperjr · November 2, 2021, 11:09pm

Is there any public status available for the Apple, Google, and Oracle root programs?

Nummer378 · November 3, 2021, 12:25am

I haven't seen any kind of "publicy visible inclusion process" for most root programs (well, except Mozilla). If there is I would like to know as well.

The current status as I can verify it is:

Apple: Based on latest sources available from Apple (macOS 11.5 currently), ISRG Root X2 is not included.
Google: Seems to not have updated its public list since the initial proposal(s) in 2020.
Oracle: Latest source code does not include it.

Nummer378 · November 5, 2021, 9:37pm

@lestaff

I know you're busy and not everyone is available at all times, but you're aware that Mozilla is currently blocked waiting for your input?

Phil · November 5, 2021, 9:49pm

We are aware of this, thank you.

acl1704 · November 19, 2021, 7:35am

Root X2 seems to have been included in the Microsoft and Google root programs at some point recently. Can't say exactly when for lack of transparency in their processes.

orangepizza · November 19, 2021, 8:21am

while I don't know about MS root, ISRG root X2 didn't land on android 12, as they only do CA store update on android release I think it'd be like android 13 or somthing until it will land on android.
https://android.googlesource.com/platform/system/ca-certificates/+/8db75df6bd335760ddb36db92463ce2d236d3916
there is no ISRG update there and if you look up newest commit you will find no ISRG root x2 in there too.

Nummer378 · November 19, 2021, 12:36pm

Microsoft including ISRG Root X2 has been reported already:

About Google:

That's a bit complicated, because there is no uniform "Google Root Program". There are various trust stores used on their products, for example the trust store used on Android. Censys lists "Google CT" under trust, which are the certificates accepted by their CT log backends. The latter seems to include ISRG Root X2 now, yes. I imagine that these trust stores are run independently by independent departments.

There's a root program run by Google, the Chrome Root Program. But that is still in development and little is known about it.

ghen · December 13, 2021, 6:34pm

ISRG Root X2 certificate was just committed in NSS, so should be included in Firefox soon.

acl1704 · December 13, 2021, 7:15pm

Wonderful news! Correct me if I'm wrong, it looks like it'll arrive in the next branch release of NSS on 1/6/2022 in v3.74, meaning it'll land in Nightly immediately after and Firefox 97 stable on February 8.

ghen · December 13, 2021, 10:26pm

Yes, that's how it's documented here: NSS:Release Versions - MozillaWiki

17martin · February 8, 2022, 7:38pm

Firefox 97 was released today and the shown certificate chain of https://valid-isrgrootx2.letsencrypt.org ends now at ISRG Root X2. Looks good.

Nummer378 · May 27, 2022, 10:33am

Overall status update:

ISRG Root X2 is included in:

NEW Apple: ISRG Root X2 is now included in Apple trust stores when running macOS 12.3 or higher (source)
Google (Chrome): An update to the Proposed Root List somewhere in early 2022 started to include ISRG Root X2 as part of roots included at launch. AFAIK, the Chrome Root Program/Store is still not live, but Google has plans to launch it later this year.
Mozilla (Firefox/NSS): ISRG Root X2 is included as of Firefox 97 (see news above in this thread)
Microsoft: Windows distributes ISRG Root X2 since 2021 (see above). However due to path building specifics & lazy loading issues it may not show up in your system.

ISRG Root X2 is not yet included in:

Oracle (Java): Latest OpenJDK sources do not include ISRG Root X2 yet .
Android: AFAIK, there is no formal Android root program. However, Google does maintain a system trust store for its operating system (it's unknown to me from which program this is sourced from). Sources available from AOSP (corresponding to Android 12) do not appear to include ISRG Root X2.

Note that even if a root is included somewhere it takes years before these updates have reached (almost) all users.

mcpherrinm · May 27, 2022, 6:41pm

A post was split to a new topic: Creating intermediate certificate

ghen · September 6, 2022, 5:41pm

Unfortunately, ISRG Root X2 is not yet present in Android 13, either (released in August 2022).

aarongable · October 17, 2022, 4:29pm

It appears that ISRG Root X2 was omitted from Android 13 by mistake; the bug tracking its inclusion in Android is here: Google Issue Tracker

ghen · May 12, 2023, 6:13pm

Inclusion of ISRG Root X2 has (finally!) been confirmed in Android 14 beta 2. Google Issue Tracker