Security Briefing — Let's Encrypt DST Root CA X3 Expiration
Let's Encrypt's cross-signed DST Root CA X3 certificate expired, breaking TLS validation on legacy clients and forcing operators to verify trust stores, IoT devices, and enterprise proxies before outages.
Executive briefing: The DST Root CA X3 certificate used to cross-sign Let's Encrypt chains expired on . Organizations relying on outdated trust stores encountered TLS failures on Android <9, embedded devices, and legacy enterprise appliances.
Key updates
- Trust store remediation. Devices without the ISRG Root X1 certificate failed to validate Let's Encrypt leaf certificates.
- Compatibility guidance. Let's Encrypt published mitigations including chain switching and certificate pinning updates.
- Monitoring requirements. CDN, IoT, and API operators needed proactive telemetry to catch TLS handshake spikes and client drop-offs.
Implementation guidance
- Audit TLS termination points, agents, and embedded systems to ensure ISRG Root X1 is trusted and firmware updates are available.
- Coordinate certificate rotation plans for constrained devices that cannot update trust stores, considering alternate CAs.
- Document certificate expiration response runbooks and validate monitoring for future root transitions.