Expiration of IdenTrust "DST Root CA X3"
50 views
Skip to first unread message
Benjamin Beurdouche
Sep 29, 2021, 11:41:31 AM9/29/21
to dev-tec...@mozilla.org
Dear all,
Source code for the soon to be expired certificate in NSS
https://searchfox.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt#3116
This email is to let you know about the expiration of IdenTrust “DST Root CA X3”.
This root is part of the trust chain for let’s encrypt intermediates and will expire on Sep 30 14:01:15 2021 GMT.
We noticed this quite recently so I expect some of you might also have missed it.
The alternate root for Let’s Encrypt is “ISRG Root X1” and was added to the trust store
in NSS 3.26 which was released on 05 Aug 2016 (for Firefox 50 released on 15 Nov 2016).
In the case of Firefox, we do check the NotAfter validity field of Certificates for NSS roots
so it is expected than some of our legacy users prior to Fx50/NSS 3.26 will hit an error
during certificate chain verification.
However please be aware of all this if you use the NSS trust store without checking the NotAfter date.
This expired Root certificate will be removed from NSS as part as the next batch of CA changes
expected sometime in December. https://bugzilla.mozilla.org/show_bug.cgi?id=1733003
Please also find below some additional information about this root and the changes in NSS.
Hope this helps.. : )
Best,
Benjamin
“DST Root CA X3" certificate entry at crt.sh
https://crt.sh/?q=0687260331A72403D909F105E69BCF0D32E1BD2493FFC6D9206D11BCD6770739
https://crt.sh/?q=0687260331A72403D909F105E69BCF0D32E1BD2493FFC6D9206D11BCD6770739
Source code for the soon to be expired certificate in NSS
https://searchfox.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt#3116
Communication from Let’s Encrypt
https://letsencrypt.org/2020/12/21/extending-android-compatibility.html
https://letsencrypt.org/2020/12/21/extending-android-compatibility.html
Reply all
Reply to author
Forward
0 new messages