September 30 at 17:01 Moscow time expires The lifetime of the root certificate of the company IDENTRUST (DST root CA X3), which was used for cross-signature of the root certificate of the certificate center Let’s Encrypt ( ISRG ROOT X1 ), controlled by the community and providing certificates for anybill everyone. The cross-signature provided confidence in the LET’S Encrypt certificates on a wide range of devices, operating systems and browsers in the period integration own root certificate Let’s Encrypt In the root certificate storage.
It was originally planned that after obsolescence DST root CA X3 The LET’s Encrypt project will switch to the formation of signatures using only its root certificate, but such a step would lead to loss of compatibility with a large number of old systems that did not add to the root certificate of LET’S Encrypt to their repository . In particular, approximately 30% of the Android devices located in everyday life have no data on the root certificate Let’s Encrypt, the support of which appeared only starting from the Android 7.1.1 platform, released at the end of 2016.
Let’s Encrypt did not plan to conclude a new cross-signature agreement, as it imposes additional responsibility to the Agreement participants, deprives independence and associates hands in terms of compliance with all procedures and rules of another certifying center. But due to the occurrence of potential problems on a large number of Android devices, the plan was revised . The identification center of IDENTRUST was was concluded a new agreement, within which an alternative cross-signed Intermediate certificate Let’s Encrypt . The cross-signature will act three years and will allow you to maintain the support of Android devices, starting with version 2.3.6.
Nevertheless, a new intermediate certificate does not cover many other outdated systems. For example, after obsolescence of the certificate DST Root CA X3 September 30, the certificates of LET’s Encrypt will stop perceived in no longer supported firmware and operating systems, In which to ensure confidence in LET’s Encrypt certificates, you will need to manually add the ISRG root x1 certificate to the root certificate store. Problems will manifest itself in: