ISRG Root X2 Submitted to Root Programs

The public discussion at Mozilla is over, the current status is "Intent to Approve":
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/D8coPL0eU3k/m/t1JxqeZ8AwAJ

10 Likes

The ISRG Root X2 certificate has been formally accepted by Mozilla, and should appear in the next NSS release.
NSS inclusion request: 1738805 - Add ISRG Root X2 root certificate to NSS

13 Likes

Hopefully beginning of 2022 we can start using X2

3 Likes

Is there any public status available for the Apple, Google, and Oracle root programs?

5 Likes

I haven't seen any kind of "publicy visible inclusion process" for most root programs (well, except Mozilla). If there is I would like to know as well.

The current status as I can verify it is:

7 Likes

@lestaff

I know you're busy and not everyone is available at all times, but you're aware that Mozilla is currently blocked waiting for your input?

8 Likes

We are aware of this, thank you.

7 Likes

Root X2 seems to have been included in the Microsoft and Google root programs at some point recently. Can't say exactly when for lack of transparency in their processes.

2 Likes

while I don't know about MS root, ISRG root X2 didn't land on android 12, as they only do CA store update on android release I think it'd be like android 13 or somthing until it will land on android.
https://android.googlesource.com/platform/system/ca-certificates/+/8db75df6bd335760ddb36db92463ce2d236d3916
there is no ISRG update there and if you look up newest commit you will find no ISRG root x2 in there too.

6 Likes

Microsoft including ISRG Root X2 has been reported already:

About Google:

That's a bit complicated, because there is no uniform "Google Root Program". There are various trust stores used on their products, for example the trust store used on Android. Censys lists "Google CT" under trust, which are the certificates accepted by their CT log backends. The latter seems to include ISRG Root X2 now, yes. I imagine that these trust stores are run independently by independent departments.

There's a root program run by Google, the Chrome Root Program. But that is still in development and little is known about it.

7 Likes

ISRG Root X2 certificate was just committed in NSS, so should be included in Firefox soon.

6 Likes

Wonderful news! Correct me if I'm wrong, it looks like it'll arrive in the next branch release of NSS on 1/6/2022 in v3.74, meaning it'll land in Nightly immediately after and Firefox 97 stable on February 8.

1 Like

Yes, that's how it's documented here: NSS:Release Versions - MozillaWiki

2 Likes

Firefox 97 was released today and the shown certificate chain of https://valid-isrgrootx2.letsencrypt.org ends now at ISRG Root X2. Looks good.

11 Likes

Overall status update:

ISRG Root X2 is included in:

  • NEW Apple: ISRG Root X2 is now included in Apple trust stores when running macOS 12.3 or higher (source)
  • Google (Chrome): An update to the Proposed Root List somewhere in early 2022 started to include ISRG Root X2 as part of roots included at launch. AFAIK, the Chrome Root Program/Store is still not live, but Google has plans to launch it later this year.
  • Mozilla (Firefox/NSS): ISRG Root X2 is included as of Firefox 97 (see news above in this thread)
  • Microsoft: Windows distributes ISRG Root X2 since 2021 (see above). However due to path building specifics & lazy loading issues it may not show up in your system.

ISRG Root X2 is not yet included in:

  • Oracle (Java): Latest OpenJDK sources do not include ISRG Root X2 yet .
  • Android: AFAIK, there is no formal Android root program. However, Google does maintain a system trust store for its operating system (it's unknown to me from which program this is sourced from). Sources available from AOSP (corresponding to Android 12) do not appear to include ISRG Root X2.

Note that even if a root is included somewhere it takes years before these updates have reached (almost) all users.

17 Likes

A post was split to a new topic: Creating intermediate certificate

Unfortunately, ISRG Root X2 is not yet present in Android 13, either (released in August 2022).

7 Likes

It appears that ISRG Root X2 was omitted from Android 13 by mistake; the bug tracking its inclusion in Android is here: Google Issue Tracker

9 Likes

Inclusion of ISRG Root X2 has (finally!) been confirmed in Android 14 beta 2. Google Issue Tracker

12 Likes

Hopefully the last status update:

Oracle has (finally) added ISRG Root X2 to Java's trust store. The next releases for all supported OpenJDK/Oracle builds will include ISRG Root X2.

Given that Google has added ISRG Root X2 to Android 14, that means that ISRG Root X2 has now been incorporated into all major trust stores.

11 Likes