Let’s Encrypt announced yesterday that they are now directly trusted by all major root certificate programs including those from Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry. With this announcement, Let’s Encrypt is now directly trusted by all major browsers and operating systems.
While Let’s Encrypt has already been trusted by almost all browsers, it was done so through intermediate certificate that were cross-signed by IdenTrust. As IdenTrust was directly trusted by all major browser vendors and operating systems, it also allowed Let’s Encrypt to be trusted as well.
With Let’s Encrypt now being directly trusted, if there is ever a problem with IdenTrust and they themselves become untrusted, Let’s Encrypt users will still be able to function properly. Before anyone says this could never happen, just remember what happened with the Symantec certs being untrusted by Google and Mozilla.
Unfortunately, while this news benefits affects newer browsers and operating systems, older versions will still not directly trust Let’s Encrypt. Due to this, Let’s Encrypt certificates will continue to be cross-signed by IdenTrust so they can continue to work on older products.
“While Let’s Encrypt is now directly trusted by almost all newer versions of operating systems, browsers, and devices, there are still many older versions in the world that do not directly trust Let’s Encrypt,” stated the announcement by Let’s Encrypt. “Some of those older systems will eventually be updated to trust Let’s Encrypt directly. Some will not, and we’ll need to wait for the vast majority of those to cycle out of the Web ecosystem. We expect this will take at least five more years, so we plan to use a cross signature until then.”
For users of Let’s Encrypt, there is nothing you need to do. Any site’s that utilize Let’s Encrypt certificates will continue working as normal.