Skip to main content
banner image
venafi logo

Let’s Encrypt Root Certificate Expiration: Will You Be Impacted?

Let’s Encrypt Root Certificate Expiration: Will You Be Impacted?

September 24, 2021 | Scott Carter

With its promise of free TLS certificates for the masses, Let’s Encrypt has been a major force behind the widespread adoption of HTTPS over the past several years. Securely managing the bourgeoning population of certificates which act as machine identities for websites, however, is not free. The need for management becomes critical when a crypto-event forces organizations to quickly find and replace all their certificates—such as when Google and others distrusted millions of Symantec certificates. They needed to be replaced immediately, otherwise they would have ceased functioning and disrupted all the systems they were protecting.

Well, that day has come for several of the millions of websites that rely on Let’s Encrypt machine identities to protect their connections and communications. Next week, Let’s Encrypt will be retiring an older root certificate—the IdentTrust DST Root CA X3. What does this mean? If organizations do not replace all certificates that chain from the retiring root, the machines that use those soon-to-be invalid certificates will no longer be accessible. In most circles, that’s called an outage.

Take Control of Your Machine Identities & Never Worry About Outages Again!

This is not an isolated problem. Pratik Savla, senior security engineer at Venafi notes that, “A root certificate is the primary critical link in the chain of trust for the keys and certificates that serve as machine identities. Root certificates are embedded in nearly every type of software and hardware used in today’s enterprise infrastructure.” This means that when a root certificate expires, it has the potential to impact a wide range of machines. “Root certificates come with much longer validity periods so when they expire the negative impact is also much larger,” warns Savla.

Granted, this will not be a problem for most systems. The lifespan of Let’s Encrypt certificates is significantly shorter than those from other certificate authorities (CAs). While the CA/B Forum currently caps certificate lifespans at a year, Let’s Encrypt certificates are only valid for 90 days. Most of the potentially impacted certificates will have been replaced by regular rotation well before the root certificate expires on September 30, 2021.

Some older devices, which do not automatically update their certificates, could be impacted when the Let’s Encrypt root certificate expires. We saw the potential impact of an expired root certificate back in May, when the AddTrust External CA Root expired and companies including Stripe, Red Hat and Roku suffered outages. But given the much broader use of Let’s Encrypt machine identities, the impact could be even greater this time around.

“At least something, somewhere is going to break,” warns security researcher Scott Helme in a recent in a blog post. This may ring particularly true for machines with embedded systems designed not to automatically update, or smartphones running on significantly older software.

How can you be sure that your organization is immune to outages caused by the expiring root certificate? “Groups/individuals tasked with managing PKI infrastructure need to understand that updating a root certificate is different from just simply updating a web-browser or OS or even a server certificate. Because root certificates have much longer validity periods of, when they expire there can have significantly larger negative impacts,” notes Savla. “To address these risks organizations, need a proper plan/strategy that includes hard requirements to ensure they can update their root store and all dependent infrastructure with the new active root before the old one expires. Such plans should also ensure that any areas potentially causing single points of failures (SPOFs) are addressed first.”

To be sure, Let’s Encrypt has taken every step possible to ensure a smooth transition to a new root certificate. Earlier this year, Let’s Encrypt transitioned to its own ISRG Root X1 certificate, which doesn’t expire until 2035. Some machines (such as older Android phones) still don’t trust this certificate, but Let’s Encrypt did obtain a cross-signature for its own certificate that’s valid for longer than the signing root. While this should mean that most devices will remain breakage-free for three more years, the best-laid plans are sometimes not enough. Only time will tell how wide the impact may be.

How could this root certificate expiration impact your organization? “Any impending root certificate expiration will always become problematic for organizations who don’t have a strategy in place to ensure their overall infrastructure is updated and synced-in to trust the newer Root” notes Savla. “It’s really worth the time required to create a plan for this scenario because we’re likely to see more root certificate expirations in the future.”

Savla advises that, “Cross-signing is a workaround that many organizations use as a temporary buffer against significant security and availability catastrophes that happen planning is insufficient. The problem is that this approach doesn’t offer a solution to expiration or revocation tracking, and this can become problematic when dealing revoking compromised certificates or stolen credentials.”

Do you know how many of the billions of Let’s Encrypt certificates your organization is using? You may be surprised how often Rogue CAs can pop up in a variety of business units. Luckily for you, Venafi can help you locate all certificates being used across your organization. Talk to an expert today to kickstart your digital transformation!


Related Posts

Like this blog? We think you will love this.
wildcard certificates
Featured Blog

Wildcard Certificates Make Encryption Easier, But Less Secure

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more