Tech News and Updates

Let's Encrypt's certificate chain transition and its impact on device compatibility

Let's Encrypt's certificate chain transition and its impact on device compatibility - Zest Logic

Let's Encrypt, the renowned certificate authority, is undergoing a significant transition in its certificate chain structure. This change, set to take effect after May 15th, 2024, will have implications for device compatibility, particularly for older systems. This change marks an evolution in Let's Encrypt's approach to trust and security.


Initially, Let's Encrypt employed a cross-signed certificate chain, leveraging IdenTrust’s DST Root CA X3 to ensure widespread trust for its certificates. Over time, Let's Encrypt's own ISRG Root X1 gained extensive trust, leading to the need for a shift in their certificate issuance strategy.


The impending change arises from the expiration of the cross-signed chain on September 30th, 2024. This expiration necessitates adjustments in how certificates are issued and validated, impacting various services like Cloudflare, which relies on Let's Encrypt for certificate provisioning.


The impact of this transition primarily affects devices running older operating systems, notably Android versions 7.0 and earlier. Systems reliant solely on the cross-signed chain without the ISRG Root X1 chain in their trust store may experience certificate validation failures post-transition. Such failures could manifest as warning messages or access issues for users accessing websites secured by Let's Encrypt certificates.


Cloudflare has outlined vital steps and dates for its users to mitigate potential disruptions. After May 15th, 2024, Cloudflare will cease issuing certificates from the cross-signed CA chain and switch to the ISRG Root X1 chain for new certificates. Existing certificates issued before this date will remain valid with the cross-signed chain until renewal.


Additionally, Cloudflare emphasizes that this change impacts RSA certificates exclusively and does not affect ECDSA certificates issued through Let's Encrypt, which will maintain their current compatibility level.


Proactive measures are recommended for organizations and site operators. These include considering alternative certificate authorities for legacy device compatibility, monitoring support channels for certificate-related inquiries, and updating trust stores to include the ISRG Root X1 chain.


In our blog, we post technology-related articles weekly. Follow us on Facebook and  Instagram to get notifications about updates.

Reading next

Enhancing user experience: INP becomes a Core Web Vital. - Zest Logic
Unlocking the potential: Magento 2.4.7 brings PHP 8.3 support and more - Zest Logic

Interested in a specific business & technology topic and looking for an article in our blog but haven't found one yet?

If you haven't come across an article that matches your query, feel free to suggest the topic to us, and we'll consider featuring it in our blog. Share your suggestion in the form below, and we'll be sure to review your request.

Talk with us

If you have any questions or problems in your business that can be solved with technical solutions, just let us know. We'll do everything we can to help you.