Survey about the support status of New Root CA - ISRG Root X1 for major mobile browsers

JiangHao · December 18, 2020, 5:03am

Currently, Let's Encrypt will replace the Root CA to ISRG Root X1, which will affect the Android User with the old version (7.0 and below)
For users who want to visit the websites directly with mobile web browsers, may I know the support status of this new Root CA for major mobile browsers?

thank you!

griffin · December 18, 2020, 5:00am

Welcome to the Let's Encrypt Community, Jiang

That's not technically accurate. All of Let's Encrypt's RSA intermediate certificates, including the legacy Let's Encrypt Authority X1...X4 and the current R3 and R4, have always had a version signed by DST Root CA X3 and a version signed by ISRG Root X1. What is changing is that the primary issuance for R3 and R4 will be from ISRG Root X1 while the alternative issuance will be from DST Root CA X3 with that alternative being phased out as the expiration of DST Root CA X3 (Sep 30 14:01:15 2021 GMT) approaches.

Perhaps this may help?

This may be of use too:

JiangHao · December 18, 2020, 6:46am

Hi Griffin,

Thank you for your explanation!

I want to know the Certificate Compatibility of Free new SSL/TLS Certificates with the new issuance after the expiration of DST Root CA X3(Sep 30, 2021) for Major mobile web browsers.

I noted this doc - https://letsencrypt.org/docs/certificate-compatibility/ may have not updated for long time, so it may be incorrect so far.

Could you please help to update this doc or provide the newest Certificate Compatibility for mobile web browsers?

Thank you

Sandra · December 18, 2020, 9:47am

About this issue I'd like to add that non-browser apps also rely on certs. So "Switch to Firefox Mobile" isn't a complete solution.

yschimke · December 18, 2020, 1:31pm

Some discussion here Mobile client workarounds for ISRG issue

I'm not sure if the advice is final, be nice to see some final guidance from Let's Encrypt themselves there. It's the one linked to from the blog post though https://letsencrypt.org/2020/11/06/own-two-feet.html

rg305 · December 19, 2020, 11:46pm

If you really have need for such an outdated connection, then you might consider using your own PKI system.
Or combining that PKI system with the real one. That is, you could put up an alternate cipher/root site that provides the same services (or simply proxies to the newer site) to those old remaining systems.

https://new.secure.com/app/do.html << new LE certs
can then also be accessed by:
https://old.not-so-secure.com/app/do.html << self-signed 100 year root cert

[both domains should be owned/operated by the same party - or you will have a third party MITM]

system · January 18, 2021, 11:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.