Earlier, the free certification authority Let’s Encrypt actually wanted to switch to intermediate certificates that are signed by their own root certificate. But now the team changes its plan.
So far, Let’s Encrypt has used what is known as cross-signing with the Identrust certification authority. In the future, the new own root certificate will also be equipped with cross-signing, as the Let’s Encrypt team has now announced. This should protect millions of old Android devices from compatibility problems.
A few months ago, the company warned that the planned switch could cause problems for around a third of all Android phones still in use. Because there are still a lot of older devices that don’t trust the Let’s Encrypt root certificate, this was first introduced in 2016. According to the blog entry, devices with Android version, 7.1.1 or older are particularly affected.
By default, this means that after the previously planned change, devices no longer establish a trustworthy connection to websites or services that use Let’s Encrypt certificates, as these are no longer trusted after the change. After all, there are around 220 million domains.
The now planned renewed cross-signature should be valid for three years and thus beyond the actual validity of the Identrust root certificate. This may seem unusual and is actually not provided for in the TLS system. However, Android intentionally does not check the expiry date of certificates.
Let’s Encrypt now uses this to ensure greater compatibility. Otherwise, this is not possible. At the end of the three years — at the beginning of 2024, the plan that was actually made for 2021 is to be implemented to only rely on one’s own root certificate. To create the certificates for your own websites, you should still be able to choose whether they use the old and actually expired root certificate as the origin of the certificate chain.