Expiration of IdenTrust "DST Root CA X3"

Skip to first unread message

Benjamin Beurdouche

Sep 29, 2021, 11:41:31 AM9/29/21
to dev-tec...@mozilla.org
Dear all,

This email is to let you know about the expiration of IdenTrust “DST Root CA X3”. 
This root is part of the trust chain for let’s encrypt intermediates and will expire on Sep 30 14:01:15 2021 GMT.

We noticed this quite recently so I expect some of you might also have missed it.

The alternate root for Let’s Encrypt is “ISRG Root X1” and was added to the trust store
in NSS 3.26 which was released on 05 Aug 2016 (for Firefox 50 released on 15 Nov 2016).

In the case of Firefox, we do check the NotAfter validity field of Certificates for NSS roots
so it is expected than some of our legacy users prior to Fx50/NSS 3.26 will hit an error
during certificate chain verification.

However please be aware of all this if you use the NSS trust store without checking the NotAfter date.

This expired Root certificate will be removed from NSS as part as the next batch of CA changes

Please also find below some additional information about this root and the changes in NSS.

Hope this helps.. : )


Request of inclusion in the Mozilla root program

Changes adding DST Root CA X3 to NSS 3.11.9

Changes adding the new ISRG Root X1 to NSS 3.26

Reply all
Reply to author
0 new messages