6 Lessons From the Expiration of the Let's Encrypt Root Certificate

On Sept. 30, a root certificate provided by digital certificate authority (CA) Let's Encrypt expired, meaning that the tens of millions of websites and devices that used the cert had to have updated to a new root before then — or run into problems.

Devices, browsers, and domains that did not update faced widespread disruptions, since they could no longer validate the Let's Encrypt HTTPS certificates used to ensure encrypted communications on the Internet.

"As root CAs expire, any certificates that chain up to those roots will no longer be trusted," says Chris Hickman, chief security officer at Keyfactor. "This situation makes it imperative to monitor root CA expiration and manage root stores on end devices."

Scott Helme, founder of Security Header, described the transition in a blog post as affecting everything from legacy devices and technologies to the latest versions of iOS and macOS. Even large organizations such as Google and Microsoft were impacted when their cloud products could no longer validate certificate chains from Let's Encrypt, Helme noted. A similar expiration of an AddTrust CA in May 2020 caused outages at a variety of organizations, including, Stripe Roku, and Spreedly, he he wrote in a separate post.

Overall, the recent expiration of Let's Encrypt's IdenTrust DST Root CA X3 root CA caused less disruption than expected, yet the event underscored a familiar issue: the complexity and fragility of oft-forgotten TLS/PKI systems, according to Helme.

Here are six key takeaways from root certificate expirations, such as the one from Let's Encrypt last month.