As of the end of July 2018, the Let’s Encrypt root, ISRG Root X1, is directly trusted by Microsoft products. The root is now trusted by all major root programs, including Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry.
Today’s announcement that they are trusted by all major root programs represents a major milestone, but it’s not the conclusion of their journey towards being directly trusted everywhere.
Certificates from Let’s Encrypt have been widely trusted since their first issuance because of a cross-signature from another CA called IdenTrust. Browsers and operating systems have not, by default, directly trusted Let’s Encrypt certificates, but they trust IdenTrust, and IdenTrust trusts Let’s Encrypt, so they are trusted indirectly. IdenTrust is a critical partner in their effort to secure the Web, as they have allowed them to provide widely trusted certificates from day one.
While Let’s Encrypt is now directly trusted by almost all newer versions of operating systems, browsers, and devices, there are still many older versions in the world that do not directly trust Let’s Encrypt. Some of those older systems will eventually be updated to trust Let’s Encrypt directly. Some will not, and they need to wait for the vast majority of those to cycle out of the Web ecosystem. They expect this will take at least five more years, so they plan to use a cross signature until then.
As a subscriber of Let’s Encrypt, today’s milestone does not require any action on your part. Just continue to use best practices, including making sure that your ACME client (e.g. Certbot or an alternative) is regularly receiving software updates.
Let’s Encrypt is currently providing certificates for more than 115 million websites.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.