What happens in 2021 when the IdenTrust root certificate expires?



Right now there are two options for certificate chains for Let’s Encrypt certificates:

  • An intermediate signed by “DST Root CA X3”, owned by IdenTrust.
  • An intermediate signed by “ISRG Root X1”, the root owned by Let’s Encrypt itself.

I believe due to compatibility reasons the vast majority of LE users will use the chain for the IdenTrust certificate, particularly if it’s about public web pages. However the “DST ROOT CA X3” certificate will expire in 2021. While this is still a couple of years in the future, I wonder if this is looming trouble for LE.

I noticed this because I heard stories from customers of another CA that recently started issuing certs to customers with a root that was only issued relatively recently. Many old browsers throw errors when seeing these certs.

I think it’s plausible to assume that in 2021 the ISRG certificate will not have received widespread enough support to make it the only option available, particularly given how unfortunately common smartphones without any update option are these days.

Is LE aware of this issue and are there any plans?



I’m sure that Let’s Encrypt is aware of this issue. Since there are some request / concern before…

Please take a look at this one:

Calling @schoen for more details…

Thank you


That question is (probably) linked to that other one about the future ECDSA Intermediates:


I don’t have any news about this and I’ll invite @josh to comment.

closed #5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.