Browser coverage

Skip to first unread message

Jun 12, 2015, 5:05:41 AM6/12/15

Great project!

Maybe it's somewhere on the site but I couldn't find it, could you tell me something about the browser coverage? Which browsers will be supported? And I'm also curious under which CA / root the certificates will be issued?


Vincent Lynch

Jun 12, 2015, 10:54:46 AM6/12/15
The certificates will be issued under the "DST Root CA X3", operated by IdenTrust. The root has stupendous inclusion. It is more or less included on every meaningful device.

Trusted Root since....
-Not sure on exactly when it was included on Windows, but since at least IE8

You can visit on any device to test if the root is trusted. 

Let’s Encrypt developer @bcrypt posted a tweet asking for further device testing: 

Users confirmed the following devices recognized DST Root CA X3: iOS 3.1, Safari 4.0 (w/ Mac OSX 10.4), Android 2.3.6, Firefox OS 2.2, Meego (defunct Linux OS), Amazon FireOS (Silk Browser), Cyanogen 10, Debian 6, Jolla Sailfish OS, Kindle v3.4.1, Playstation 3

 Not Recognized By: Blackberry OS 10, 7, & 6, Android 2.3.5 (HTC Wildfire S, Stock Browser), Nintendo 3DS



You received this message because you are subscribed to the Google Groups "Let's Encrypt Client Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
To view this discussion on the web visit

Vincent Lynch

Daniel Roesler

Jun 12, 2015, 11:34:29 AM6/12/15
to Vincent Lynch,,
I'm seeing as chained to the IdenTrust
Commercial Root CA 1 root (serial 0A 01 42 80 00 00 01 45 23 C8 44 B5
00 00 00 02 ), not DST Root CA X3 (serial 44 AF B0 80 D6 A3 27 BA 89
30 39 86 2E F8 40 6B). Is there another site that is chained to the X3

Vincent Lynch

Jun 12, 2015, 11:41:47 AM6/12/15
to Daniel Roesler,,
Hi Daniel,

I may be misinterpreting this, but, despite the name  IdenTrust Commercial Root CA 1 does not seem to be a root. It is an Intermediate signed by DST Root CA X3.

Vincent Lynch

Daniel Roesler

Jun 12, 2015, 11:48:19 AM6/12/15
to Vincent Lynch, marije,
Ah, ok. It seemed that Firefox is only showing the self-signed version
of IdenTrust Commercial Root CA 1, which is also in the root list.
Thanks for the clarification!
Screenshot - 06122015 - 08:46:15 AM.png

Vincent Lynch

Jun 12, 2015, 12:07:01 PM6/12/15
to Daniel Roesler, marije,
Very interesting. I wonder why SSLLabs does not show that as an alternate chain. My understanding was it used the NSS/Mozilla trust store.

Vincent Lynch
Reply all
Reply to author
0 new messages