Lets Encrypt Android will continue to provide three years of support for Android 7.1

Let’s Encrypt is the world’s most well-known certification authority. At present, this certification authority is also the world’s most widely used certificate issuance platform. It provides free certificates that run on tens of millions of websites. Provide encrypted access to websites and users to ensure that data will not be leaked. I have to say that this project is a free project that benefits the entire Internet, and we need to thank Mozilla and the main sponsors of the project.

However, the project will replace the new root certificate in the fall of next year. The replacement of the root certificate is expected to cause a large number of websites to be unable to access normally. The main affected is the Android system. Specifically, the main impact is Android 7.1 and below. These systems are not compatible with the root certificate that Let’s Encrypt is about to replace, resulting in a certificate verification failure, which will affect the normal access of users.

The reason for the failure to verify is that the Let’s Encrypt operating entity ISRG is preparing to launch its own branded digital certificate ISRG Root X1, but this digital certificate cannot be certified for the old version of Android because these old versions of Android have lost the support of Google and the manufacturer and cannot be timely Update the certificate database, so in theory, Android 7.1 and below are not compatible with ISRG Root X1 certificates, which will affect the normal access of a large number of websites around the world.

The good news is that this problem has been solved, and the solution is very interesting. “IdenTrust has agreed to issue a 3-year cross-sign for our ISRG Root X1 from their DST Root CA X3. The new cross-sign will be somewhat novel because it extends beyond the expiration of DST Root CA X3. This solution works because Android intentionally does not enforce the expiration dates of certificates used as trust anchors. ISRG and IdenTrust reached out to our auditors and root programs to review this plan and ensure there weren’t any compliance concerns.

As such, we will be able to provide subscribers with a chain which contains both ISRG Root X1 and DST Root CA X3, ensuring uninterrupted service to all users and avoiding the potential breakage we have been concerned about.”

After three years, cross-validation will be completely over, but by then these old Android devices may have been gradually abandoned by users and will not have much negative impact.