DST Root CA X3 Expiry – Invalid Certificate Error on Chrome [Fix]

Updated on October 5, 2021

DST Root CA X3 certificate expired on September 30th, 2021 causing many devices on the internet with an Invalid Certificate error, including the websites and services using the Let’s Encrypt certificates. But you know what I was not even aware of this certificate expiry until one of my clients sent me a screenshot showing his website failing to load on Chrome on Windows.

Below is the screenshot of the error:

Looking at the screenshot, I thought the CRON job might have failed to update the Let’s Encrypt certificate. Well, the case was different, the SSL certificate issued for the client website was still valid, but DST Root CA X3 had expired on 30th September 2021, the root certificate that Let’s Encrypt is currently using.

DST Root CA X3 Expiration – Fix

So how did I fix this? Well, I tried to reproduce the issue on my Chrome browser on Windows, but it worked fine over there. Then I requested my client to check the website on the Firefox browser from the same machine, and to my surprise, the website loaded without an issue. Finally, I took remote desktop access to my client’s PC to check the certificate details by clicking ‘Not secure’ in the address bar and then Certificate > Details. Well, this revealed more information about the Root certificate and its status.

DST root ca x3 expired

DST Root CA X3 expired

Ultimately, the end of the DST Root CA X3 certificate was on Sep 30th, 2021, and that caused many devices to invalidate the certificates issued by the authority.

Ok. What’s ROOT certificate?

All the certificates that are issued for HTTPS on the internet are issued by Certificate Authority (CA), an entity that’s trusted by devices and operating systems.

Why did not Windows update ROOT CA?

Some of these certification authorities are built into the browsers and operating system certificate stores and they are supposed to get updated along with OS updates. However, some older devices may not be in the update list and maybe still using the older Root CA which expired on 30th Sep 2021. Also, if the devices using the pirated operating systems, then they may not be eligible to get the latest update.

Nevertheless, you can follow the below steps to fix the issue.

On Windows 7 or 10:

Step 1: Launch Run dialog

Step 2: Type certmgr.msc and hit enter.

Step 3: In the certificate manager window, click on ‘Trusted Root Certification Authorities‘  > Certificates.

Step 4: Lookout for the ‘DST Root CA X3‘ entry and click the delete icon to remove it from the Trusted certification authority store.

Trusted Root Certification Authorities

Step 5: Download the latest CA certificate from this link.

Step 6: Double click on the downloaded file and install it. Remember to choose ‘Place all certificates in the following store‘ and choose ‘Trusted Root Certification Authorities'

Step 7: Close the browser and launch it again.

Step 8: Test the website to ensure everything is working fine. If not, you may need to clear the browser cache and try again.

That’s it, this should fix the issue. But can you ask every visitor to your website to do this? Of course not, and this issue may not happen for the visitor who’s using genuine operating systems or a device that receives updates.

Also, the root certificate expiry didn’t affect the Firefox browser, because the browser has its own certificate store and does not rely on the Windows certificate store. Hence updating the Firefox should suffice.

Finally, here is a stack overflow answer that has suggestions for some of the old devices that may be affected due to this issue.

Was this article helpful?

Related Articles

Comments Leave a Comment

  1. Oh my goodness. Spent days on customer support which wasn’t able to help me like you did….they should be fired. Man you’re my true hero and I have no words how to thank you. So many pages now work again:)

  2. Thank u very much. I am facing this problem for some time and it was resolved very easily

  3. thanks from the deepest point in my heart i cant express how happy i am

  4. Great one, David. It helped to fix my problem. Thank you so much.

  5. After deleting the old certificate, I needed to import new certificate by Action->All tasks->Import and then select newly downloaded certificate.

  6. Thank you very much for this article! It is really helpfull!

  7. Mate you’ve saved me. I’ve been struggling with this for a while and couldn’t work out why one computer was fine but this one was always moaning about the certificate being invalid. Tried deleting the root several times, it just came back. Thanks to you mentioning that I needed to install the new one manually, I did that and now stuff works again. What a pain but I got there eventually thanks to you!

  8. when I tell you I exhausted ALL of my options… and you saved me omg thank you so so much!

  9. Your method solved my Chrome browser problem and it also solved the error when trying to download ebooks from public library using Adobe Digital Editions software. See:
    https://community.adobe.com/t5/digital-editions-discussions/connection-error-detected-digital-edition-could-not-connect-to-the-fulfillment-server/td-p/12571382
    But I have a question. I looked at the valid date of the certificate you gave link to
    (right click on isrgrootx1.der file, open with crypto shell extension) at it says the certificate expires 6/4/2035. However, when I go back to look at DST Root CA X3, it still says expires Sept 30, 2021, However there is a 6/4/2035 expire date on down the list called ISRG Root X1. Can you explain why the DST Root CA still shows Sept 30, 2021 instead of 2035? And what is ISRG Root X1? Also, if I have these kind of certificate problems in future, can you tell me how you knew how to do all this (like how did you know to get isrgrootx1, etc?

  10. Thank you so much!! Your instructions are very clear and understandable. Finally, I can fix the problem that bugging me for months!

  11. Hopefully, this will fix my Chrome browser certificate issue.

  12. You really deserve all the raves from these reviews, thanks for sharing, it worked for me also on Chrome 95 and Windows 7 64bits.

  13. Noticed this one of my old PCs recently… Thanks for the fix. It worked.
    dos 3.3->dos 6->.Win3.1->win3.11->Win95/98/2000->NT->XP->win7->win8.1->Win10
    not to mention Linux Distros. Yes fixed Windows 7. Cheers

  14. I was getting sick and tired of reading long articles and listening to videoas tryingto teach me about SSL certificates. What an absolute waste of my time. I didn’t care to learn anything about WHY the problem existed … I just wanted a SOLUTION so that I could go about doing my work! You provided the quick and easy solution. Thank you, thank you, thank you!

    Angelo
    Chrome 95 on Windows 7, 64 bit

  15. PERFECT! While everyone else was talking about the theories behind SSL certificates and making long boring videos, you gave a quick SOUTION! Way to go. I commend you!

  16. i have contacted google multiple times and got no useful solution this detailed article was very useful and resolved the issue instantly. Thanks!

  17. Deleting the expired DST Root CA X3 worked for me. I did not need to install the CA certificate that you linked to. That one was already installed on my system.

    Thank you for the assistance!

  18. Hi there. Is there a fix for a macbook? Same problem..

  19. Dear David Thanks a lot You’re a professional, Job well done. Ali

  20. Really helpful, I have tried so many fixes but they did not worked. This solution worked on windows 7. Thanks a lot…

Leave a Comment