6 Lessons From the Expiration of the Let's Encrypt Root Certificate

Fallout from the transition highlights the need for organizations to monitor and have processes for updating CA roots, experts say.

7 Slides
Source: monticello via Shutterstock

On Sept. 30, a root certificate provided by digital certificate authority (CA) Let's Encrypt expired, meaning that the tens of millions of websites and devices that used the cert had to have updated to a new root before then — or run into problems.

Devices, browsers, and domains that did not update faced widespread disruptions, since they could no longer validate the Let's Encrypt HTTPS certificates used to ensure encrypted communications on the Internet.

"As root CAs expire, any certificates that chain up to those roots will no longer be trusted," says Chris Hickman, chief security officer at Keyfactor. "This situation makes it imperative to monitor root CA expiration and manage root stores on end devices."

Scott Helme, founder of Security Header, described the transition in a blog post as affecting everything from legacy devices and technologies to the latest versions of iOS and macOS. Even large organizations such as Google and Microsoft were impacted when their cloud products could no longer validate certificate chains from Let's Encrypt, Helme noted. A similar expiration of an AddTrust CA in May 2020 caused outages at a variety of organizations, including, Stripe Roku, and Spreedly, he he wrote in a separate post.

Overall, the recent expiration of Let's Encrypt's IdenTrust DST Root CA X3 root CA caused less disruption than expected, yet the event underscored a familiar issue: the complexity and fragility of oft-forgotten TLS/PKI systems, according to Helme.

Here are six key takeaways from root certificate expirations, such as the one from Let's Encrypt last month.

About the Author

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights