Dear all, This email is to let you know about the expiration of IdenTrust “DST Root CA X3”. This root is part of the trust chain for let’s encrypt intermediates and will expire on Sep 30 14:01:15 2021 GMT.
We noticed this quite recently so I expect some of you might also have missed it. The alternate root for Let’s Encrypt is “ISRG Root X1” and was added to the trust store in NSS 3.26 which was released on 05 Aug 2016 (for Firefox 50 released on 15 Nov 2016). In the case of Firefox, we do check the NotAfter validity field of Certificates for NSS roots so it is expected than some of our legacy users prior to Fx50/NSS 3.26 will hit an error during certificate chain verification. However please be aware of all this if you use the NSS trust store without checking the NotAfter date. This expired Root certificate will be removed from NSS as part as the next batch of CA changes expected sometime in December. https://bugzilla.mozilla.org/show_bug.cgi?id=1733003 <https://bugzilla.mozilla.org/show_bug.cgi?id=1733003> Please also find below some additional information about this root and the changes in NSS. Hope this helps.. : ) Best, Benjamin “DST Root CA X3" certificate entry at crt.sh https://crt.sh/?q=0687260331A72403D909F105E69BCF0D32E1BD2493FFC6D9206D11BCD6770739 <https://crt.sh/?q=0687260331A72403D909F105E69BCF0D32E1BD2493FFC6D9206D11BCD6770739> Source code for the soon to be expired certificate in NSS https://searchfox.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt#3116 <https://searchfox.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt#3116> Request of inclusion in the Mozilla root program https://bugzilla.mozilla.org/show_bug.cgi?id=359069 <https://bugzilla.mozilla.org/show_bug.cgi?id=359069> Changes adding DST Root CA X3 to NSS 3.11.9 https://bugzilla.mozilla.org/show_bug.cgi?id=394733 <https://bugzilla.mozilla.org/show_bug.cgi?id=394733> Changes adding the new ISRG Root X1 to NSS 3.26 https://bugzilla.mozilla.org/show_bug.cgi?id=1289889 <https://bugzilla.mozilla.org/show_bug.cgi?id=1289889> https://hg.mozilla.org/projects/nss/rev/f118cfd3948a <https://hg.mozilla.org/projects/nss/rev/f118cfd3948a> Communication from Let’s Encrypt https://letsencrypt.org/2020/12/21/extending-android-compatibility.html <https://letsencrypt.org/2020/12/21/extending-android-compatibility.html> https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ <https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/> https://www.youtube.com/watch?v=RIR-_V1fNrk <https://www.youtube.com/watch?v=RIR-_V1fNrk> -- You received this message because you are subscribed to the Google Groups "dev-tech-crypto@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-tech-crypto+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/793608BC-10B3-4191-B56C-C6123EB7C9F2%40mozilla.com.
