Valid-isrgrootx1 testing site working on devices it shouldn't?

The blog post Transitioning to ISRG’s Root links to a test site which can be used to see if the new root certificate is accepted in the browser.

Because of the note at the top of that post about Android devices not necessarily having the new root, I took out all of our Android devices to test them.

As expected, the site works on newer devices (e.g. Google Pixel, Samsung S8, S9, and S10), and does not work on some older ones (e.g. Google Nexus 5) where it gives a certificate error.

However, I have one device which I expected to show a certificate error but instead the site loaded properly!

On a Samsung S6 (Edge, Verizon), the site loads properly even though the ISRG X1 root is not in the trust store. When I check the certificate chain in the browser, I see that it is loading the Identrust DST Root CA X3.

I thought the whole point of this test site is that it does not chain back to the Identrust root, so how is this phone loading it? Also, if this phone is loading it, why isn’t my Nexus 5?

It may be possible that your Browser visited before a website using the chain to the DST root and your browser decided to cache the intermediate. When you visited the test website, the presented chain was not valid, so your browser tried something else, found that intermediate in its cache and arrived at the conclusion that it can build a trust chain.

When I cleared the browser data, I got the certificate error as expected.

Thanks.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.