Let’s Encrypt Root Certificate Expiration: Should You Worry?

Root Certificate Authority or CAs (called “trust anchors” in X.509 terminology) hold the highest position in the trust tree and are recognized by all clients (browser/OS) at all levels. Root CAs are responsible for identifying intermediate CAs and verifying their trustworthiness. The root CA uses its certificate’s private key to sign the certificates of the intermediate CAs (or, in the case of unchained certificates, the server certificate) under it. The trustworthiness of the root CA is thus “passed down” to the intermediate CAs; any CA validated by the root CA is automatically trusted by its clients.

So, when you heard about Let’s Encrypt’s root certificate expiration on September 30, 2021, did it send shivers down your spines?  Millions of websites have vested trust in Let’s Encrypt, a free-to-use non-profit that issues certificates for encrypting connections between your devices and the wider internet. The root certificate that Let’s Encrypt uses — the IdentTrust DST Root CA X3 will expire on September 30, 2021. But, most of the website users can rest assured that this will have no impact. If you are at fault for not updating your devices at regular intervals, you are at risk, and that’s something you need to worry about.

2023 EMA Report: SSL/TLS Certificate Security-Management and Expiration Challenges

As Scott Helme mentions, this will not be the first time a root CA certificate has expired, and it might follow the same trend as previous expirations where things break. “If the root certificate that your certificate chain anchors on is expired, then there’s a good chance it’s going to cause things to fail. This happened last year, on May 30, when the AddTrust External CA Root expired and took a bunch of things with it. Organizations like Roku, Stripe, Spreedly, and many others had problems, and they weren’t the only ones. Even RedHat had something to say about the event.”

Let’s Encrypt has taken every possible measure to ensure business as usual. For the last five years, Let’s Encrypt has had one root: the ISRG Root X1, which has a 4096-bit RSA key and is valid until 2035. Moreover,  Let’s Encrypt obtained cross-signing for its certificate with a validity longer than the signing root. Cross-signing bridges the gap between the issuance of a new root certificate and when the root is incorporated into various trust stores.


While cross-signing can be a temporary relief for some organizations, what matters is your current approach or strategy. Has your organization invested in a well-rounded cybersecurity strategy that addresses all such issues and promises to enhance your security posture?

Root Certificate changes can be planned or unplanned. But, are you prepared? Most enterprises now manage close to hundreds – or even thousands – of certificates regularly in their network infrastructure. Given their finite lifespans, it is crucial that these certificates be monitored, tracked, and renewed on time to avoid expensive application outages. However, the maintenance required isn’t the only challenge posed by the growing number of SSL/TLS certificates – security of private keys and the trust associated with the entire certificate chain is also a significant concern.

Save Your Business from Certificate Expiry-Related Outages Now!

When there is a change in root ownership, which can happen due to a change in the certificate chain of trust, how do you stay away from service disruptions? Apart from just certificate expiries, enterprises using certificates from deprecated roots or intermediates can also suffer severe disruptions. And, to successfully avoid such disruptions, migrating to a trusted public key infrastructure (PKI) plays a significant role.

  • The first and foremost step is to run a discovery of all certificates with weak keys.
    • Identify all SSL certificates with vulnerable digital signatures across the infrastructure. It is essential that every certificate that has weak signature (all certificates in the chain of trust, including intermediate) is tracked down regardless of the nature of the server (internal or public-facing).
  • Assess the certificates within the discovered inventory.
    • Group and prioritize them according to the organization’s requirements. For example, replace weak certificates on mission-critical and public-facing applications before updating certificates on internal servers.

Do you rely on SSL and certificates to protect your business?

Smart Discovery of AppViewX CERT+ discovers certificates in various ways from a variety of sources for holistic visibility. Inventory of certificates helps analyze certificates for crypto security standards as well as for expiry dates. This prevents security breaches and application outages.

AppViewX CERT+ is a next-gen machine identity and PKI management suite that allows for end-to-end automation of certificates and key lifecycles across environments and vendors.

Don’t take any vulnerability for granted!

Talk to an expert today.


  • certificate lifecycle management
  • Certificate Management
  • SSL Certificate Lifecycle Management

About the Author

Sanchita Chakraborti

Director, Product Marketing – AppViewX CERT+

Sanchita is a Product Marketer responsible for understanding the industry landscape, buyer personas, their pain points and translating them into compelling value propositions and messaging.

More From the Author →

Related Articles

7 Reasons Why You Need To Replace Your Microsoft CA

| 6 Min Read

How To Streamline Certificate Lifecycle Management In Azure Kubernetes Service (AKS) with AppViewX KUBE+

| 5 Min Read

Unlocking Zero Trust: The Power Of Identity-First Security

| 7 Min Read