Blogs
ggenard
Staff
Staff

Introduction 

With the latest updates to the Let's Encrypt CA certificate, our goal is to ensure minimal disruption to your operations. Let's Encrypt, a highly trusted Certificate Authority (CA) known for providing free SSL/TLS certificates, is set to introduce significant changes in 2024. These updates are designed to enhance security and performance, but they may also affect how certificates are issued and renewed. 

In this blog post, we will provide a comprehensive overview of the upcoming changes, detailing what you can expect and how they might impact your current setup. Additionally, we will explain how FortiWeb Cloud is equipped to facilitate a smooth transition. Our solutions are designed to seamlessly integrate with the new Let's Encrypt protocols, ensuring that your operations continue without interruption. We will also address any potential challenges that may arise with legacy devices, offering guidance and best practices to mitigate these issues effectively. 

By staying informed and prepared, you can ensure that your security infrastructure remains robust and compliant with the latest standards, all while maintaining the highest level of service your users expect. 

 

Let's Encrypt Expected Updates  

When Let's Encrypt first launched, they employed a strategy of cross signing their certificates with IdenTrust’s DST Root CA X3. This approach was necessary to ensure that Let's Encrypt certificates would be widely trusted from the outset, as DST Root CA X3 was already universally recognized across various platforms and devices. This cross-signing allowed Let's Encrypt to establish immediate credibility and trustworthiness, even though their own root certificate, ISRG Root X1, was still in the process of being accepted by different systems and software. 

Over time, ISRG Root X1 has achieved widespread trust in its own. As it has become embedded in the trusted root stores of major operating systems, browsers, and devices, the reliance on the cross-signed certificates has diminished. This widespread acceptance means that Let’s Encrypt can now issue certificates directly from ISRG Root X1 without needing the additional trust bridge provided by IdenTrust’s DST Root CA X3. This transition marks a significant milestone in the maturity and independence of Let's Encrypt's infrastructure. 

 

Key Dates and the Path Forward 

  • February 8th, 2024: Let’s Encrypt ceased providing the cross-sign by default, signaling the shift towards the shorter certificate chain. 
  • June 6th, 2024: The longer cross-signed chain will no longer be available, allowing for a sufficient migration period. 
  • September 30th, 2024: The cross-signed certificate will expire, marking the completion of the transition. 

 

Implications for FortiWeb Cloud Users  

Automatic Certificate Renewal: FortiWeb Cloud ensures that your Let’s Encrypt certificates are renewed automatically, maintaining seamless security for your applications. With the upcoming changes, FortiWeb Cloud will transition to using the ISRG Root X1 chain for these renewals. This shift will happen automatically and transparently, requiring no manual intervention on your part. You can continue to rely on FortiWeb Cloud to manage your certificate renewals efficiently, ensuring uninterrupted service and compliance with the latest security standards. 

 

Impact on Modern Devices: The upcoming change to Let’s Encrypt's certificate chain will have minimal impact on modern devices and browser versions released after 2016. This is because these devices and browsers typically come equipped with upgradeable trust stores that already include the ISRG Root X1 certificate. As a result, they will seamlessly recognize, and trust certificates issued under the ISRG Root X1 chain without any intervention required from users or administrators. This ensures that users accessing your services from modern devices will continue to experience uninterrupted and secure connections, unaffected by the certificate chain transition. 

 

Impact on Legacy Devices: Legacy devices and systems, including those operating on Android version 7.1.1 (released in 2016) or earlier, depend solely on the cross-signed certificate chain and do not include the ISRG Root X1 certificate in their trust store. Consequently, when these devices attempt to access domains secured by a Let’s Encrypt certificate after the transition, they will encounter TLS (Transport Layer Security) errors or warnings. This means that users on legacy devices may experience disruptions or difficulties accessing websites or services secured with Let's Encrypt certificates until appropriate measures are taken to address the trust chain issue on these devices. It's important for administrators to be aware of this potential impact and consider strategies for mitigating it, such as updating device configurations or providing alternative certificate solutions for legacy clients. 

 

Guidance for Legacy Device Users  

Upgrade Browsers: To mitigate TLS errors or warnings when accessing domains secured by Let's Encrypt certificates on legacy devices, we recommend that users upgrade their browsers to the latest available version. Modern browser versions typically include updated trust stores that incorporate the ISRG Root X1 certificate, ensuring seamless recognition of Let's Encrypt certificates without encountering compatibility issues. By upgrading their browsers, users can ensure a smoother browsing experience and maintain compatibility with the evolving security standards implemented by Let's Encrypt and other certificate authorities. 

 

Use Firefox Mobile: For users operating on Android 7.0 or earlier, we suggest installing and utilizing Firefox Mobile as an alternative browser option. Firefox Mobile utilizes its own trust store, independent of the device's operating system, and includes the ISRG Root X1 certificate. By using Firefox Mobile, users can ensure continued access to websites secured by Let's Encrypt certificates without encountering TLS errors or warnings. This provides a viable solution for users on legacy devices who may otherwise experience compatibility issues with accessing secure websites. Additionally, Firefox Mobile offers a familiar and user-friendly browsing experience, making it a convenient alternative for users seeking uninterrupted access to online services. 

 

Recommended Course of Action 

Stay Informed: While FortiWeb Cloud handles the transition to Let's Encrypt's new certificate chain seamlessly, staying informed about these changes can provide valuable insights into the evolving landscape of web security. Understanding the updates and advancements in certificate authority practices can help you make informed decisions regarding your organization's security posture. By staying abreast of these developments, you can proactively assess the potential impact on your infrastructure and act appropriately to ensure continued compliance and protection against emerging threats. Additionally, being informed about industry trends and best practices allows you to maintain a proactive approach to security management, safeguarding your systems and data against evolving threats and vulnerabilities. 

 

Rely on FortiWeb Cloud: FortiWeb Cloud’s automated renewal process and updated certificate stores are designed to ensure that your web applications continue to operate securely and maintain trustworthiness. FortiWeb Cloud seamlessly manages the transition to Let's Encrypt's new certificate chain, relieving you of any manual intervention or concerns regarding certificate validity.  

 

Conclusion  

The upcoming expiration of IdenTrust’s DST Root CA X3 and the transition to Let's Encrypt’s ISRG Root X1 certificate chain marks a significant milestone in the web security domain. However, as a FortiWeb Cloud user, you can be confident that this transition will be smooth and without impact for the majority of users. Our proactive measures are in place to ensure continuous protection and seamless operation for your web applications throughout this transition period. For users with legacy devices or systems, we recommend taking the necessary steps outlined above to ensure continued access to websites secured by Let's Encrypt certificates. By upgrading browsers or utilizing alternative solutions such as Firefox Mobile, you can mitigate any potential compatibility issues and maintain uninterrupted access to essential online services. If you have questions or need further assistance, please contact our support team.  

 

**Tags**: FortiWeb Cloud, Let's Encrypt, SSL/TLS, ISRG Root X1, IdenTrust, Web Security, Automatic Certificate Renewal, Legacy Devices