Root Inclusion in Mozilla

Wow this is an great step forward :slight_smile:

That mean in the not so far future LetsEncrypt will be in Firefox


I guess it would end up being included in Firefox 51, which would be the first version released the next year.

As LE announced it will end up in Firefox 50.

However I still have a question about this inclusion now: As it seems X1 has been included, but most of the currently issued certs are issued by X3. Does not that mean only certs issued by X1 will be trusted without Identrust in Firefox 50?

Are there plans to include X3 too?

1 Like

@rugh I think your answer is there:

Firefox Nightly “51.0a1 (2016-08-06)” does not yet support the new root.
And the testpage “” was not updated.

Root versus intermediate dude, root versus intermediate..

Updated with what? There isn't a currently active intermediate certificate signed by the ISRG root...

@Osiris do you wan’t to say that there is an signed root, but no intermediate that it is usable with these root?


Currently, that is correct and also the reason why the helloworld certificate isn’t updated, because it has to chain up to the ISRG root.

Strictly, the X1 and X2 intermediate still exist, but Let’s Encrypt policies say it doesn’t issue certificates for end entities (and that’s what helloworld is) except via ACME and the ACME server doesn’t offer certificates from X1 or X2, right now it exclusively delivers certificates signed by X3.

Presumably at some point ISRG will have a signing ceremony, and they will use the ISRG Root (now trusted in Mozilla’s NSS) to sign X3 and X4. Because the ISRG-signed X3 and the IdenTrust-signed X3 are the same public key, with the same Subject DN, you can offer either the IdenTrust certificate (trusted very widely) or the ISRG certificate (only in brand new NSS) as intermediates, although obviously certbot and similar tools would continue to choose IdenTrust because that works better for 99.99% of end users. But helloworld could ask for an X3-signed certificate then, and use the ISRG chain rather than the IdenTrust one if they wanted to.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.