Let’s Encrypt “DST Root CA X3 Expiration (September 2021)”

This blog post talks about the Let’s Encrypt “DST Root CA X3 Expiration” that happened today on 30-Sep-2021.

See these articles for a detailed description:   Extending Android Device Compatibility for Let’s Encrypt Certificates
and DST Root CA X3 Expiration (September 2021)

Because the DST Root CA X3 trust anchor cert expired, problems with Chilkat HTTP can occur IF your application set the Http.RequireSslCertVerify = true AND the website uses a Let’s Encrypt cert.   The default value of Http.RequireSslCertVerify is false, so all is OK unless your application explicitly sets Http.RequireSslCertVerify = true.

Many systems explicitly ignore the “notAfter” date for trust anchor certs:

But isn’t DST Root CA X3 expiring? The self-signed certificate which represents the DST Root CA X3 keypair is expiring. But browser and OS root stores don’t contain certificates per se, they contain “trust anchors”, and the standards for verifying certificates allow implementations to choose whether or not to use fields on trust anchors. Android has intentionally chosen not to use the notAfter field of trust anchors. Just as our ISRG Root X1 hasn’t been added to older Android trust stores, DST Root CA X3 hasn’t been removed. So it can issue a cross-sign whose validity extends beyond the expiration of its own self-signed certificate without any issues.

Starting in  v9.5.0.89, Chilkat will ignore the “notAfter” date for trust anchors.  If an application wishes to NOT ignore the “notAfter” date, then it can add the keyword “CheckTrustAnchorExpiration” to the UncommonOptions property.

Tags :