DST Root CA X3 Expiry – Invalid Certificate Error on Chrome (September 30th, 2021)

Author: Wagner    Posted: 7 October 2021   Viewed: 1666 times   Tag: #Chrome 

DST Root CA X3 certificate expired on September 30th, 2021 causing many devices on the internet with an Invalid Certificate error, including the websites and services using the Let’s Encrypt certificates. 

Some of these certification authorities are built into the browsers and operating system certificate stores and they are supposed to get updated along with OS updates. However, some older devices may not be in the update list and maybe still using the older Root CA which expired on 30th Sep 2021. Also, if the devices using the pirated operating systems, then they may not be eligible to get the latest update.


Root CA Certificates (PEM format):

- ISRG Root X1 (Or ISRG Root X1 DER Format)

- ISRG Root X2 (Or ISRG Root X2 DER Format)

Intermediate Certificate (PEM format):

- Let’s Encrypt R3 (Or Let’s Encrypt R3 DER Format)


WINDOWS 10 – DETAILED STEPS

1. Download the .DER versions of the 3 certificates listed above. Filenames you should end up with are

isrgrootx1.der

isrg-root-x2.der

lets-encrypt-r3.der


2. Open Windows Settings, search for ‘certificate’, select ‘manage computer certificates’ (requires elevation)


3. Navigate tree view: Certificates – Local Computer > Trusted Root Certification Authorities > Certificates. Sort by “Friendly Name” column. Look for ISRG ROOT X1 and ISRG ROOT X2. I was missing both.


4. Right-click on Certificates folder in the tree view, and select all tasks > import.


5. It will prompt you for filename. Select “isrgrootx1.der” file downloaded in step 1. Import.


6. Repeat for filename “isrg-root-x2.der”. Note: after import, it appears that there are duplicate entries for these – I see ISRG Root X1 and ISRG Root X2 each listed twice. I don’t think this is a problem, but I don’t understand it.


7. Find expired certificate “DST Root CA X3” in the table. Right-click > delete.


8. Navigate tree view: Certificates – Local Computer > Intermediate Certification Authorities > Certificates.


9. Right-click Certificates folder, select all tasks > import.


10. At file prompt, select the “lets-encrypt-r3.der” file downloaded in step 1. Import.


11. Reboot system.


Mac step by step:

1. Download the 3 Certificates onto your Mac like the article states above.


2. Open Applications > Utilities > Keychain Access.


3. Unlock Keychain Access if locked, by clicking the lock icon and entering your password.


4. Drag the 3 Certificates into Keychain “login”


5. Double-click a certificate, it will open a smaller window with “Trust” and “Details”. (pop-up menu)


6. Click on the “Trust” arrow to expand it.


7. Click to expand the pop-up menu near “When using this certificate”.


8. Choose the option “Always Trust” from the pop-up menu.


9. Drag the Certificate again, from “login” into “System”


10. Do this with all 3 Certificates.

Your Kind Action