On September 30 2021, there will be a change in how older browsers and devices trust web/https certificates. If you run a typical website, you won’t notice any difference. However, if you are run other services such as an API or connections to (IoT) devices, you may need to make settings.
The primary certificates are built on top of the root certificate ISRG Root X1, so they are trusted by different devices. There is also a dependency on an older root certificate DST Root CA X3, which will end on September 30, 2021. The new root certificate is sometimes not recognized by older devices and systems or is not displayed as trustworthy because they no longer receive the latest security updates from the manufacturers. (See the list with details below).
What do I have to do now?
In most cases: nothing at all. Our systems are updated automatically, as well as the current end devices (laptop, smartphone, browser…) trust the root certificate already in use now without any problems.
If you provide an API or have to support (IoT) devices, you’ll need to make sure of two things: (1) all clients of your API must trust ISRG Root X1 (not just DST Root CA X3), and (2) if clients of your API are using OpenSSL, they must use version 1.1.0 or later. In OpenSSL 1.0.x, a quirk in certificate verification means that even clients that trust ISRG Root X1 will fail when presented with the Android-compatible certificate chain we are recommending by default.
ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1
)
Known supported systems
- Windows >= XP SP3
- macOS >= 10.12.1
- iOS >= 10
- Android >= 7.1.1
- Mozilla Firefox >= 50.0
- Ubuntu >= 16.04
- Debian >= jessie / 8
- Java 8 >= 8u141
- Java 7 >= 7u151
Browsers (Chrome, Safari, Edge, Opera) generally trust the same root certificates as the operating system they are running on. Firefox is the exception: it has its own root store.
Known Incompatible
- Blackberry < v10.3.3
- Android < v2.3.6
- Nintendo 3DS
- Windows XP prior to SP3
- Java 7 < 7u111
- Java 8 < 8u101
- Windows Live Mail (2012 mail client, not webmail)
- PS3 game console
- PS4 game console with firmware < 5.00
This change is publishes as #M15052021179 on our websites https://25space.com/developer/changelog/