DST Root CA X3 certificate expired on September 30th, 2021 causing many devices on the internet with an Invalid Certificate error, including the websites and services using the Let’s Encrypt certificates. But you know what I was not even aware of this certificate expiry until one of my clients sent me a screenshot showing his website failing to load on Chrome on Windows.
Below is the screenshot of the error:
Looking at the screenshot, I thought the CRON job might have failed to update the Let’s Encrypt certificate. Well, the case was different, the SSL certificate issued for the client website was still valid, but DST Root CA X3 had expired on 30th September 2021, the root certificate that Let’s Encrypt is currently using.
DST Root CA X3 Expiration – Fix
So how did I fix this? Well, I tried to reproduce the issue on my Chrome browser on Windows, but it worked fine over there. Then I requested my client to check the website on the Firefox browser from the same machine, and to my surprise, the website loaded without an issue. Finally, I took remote desktop access to my client’s PC to check the certificate details by clicking ‘Not secure’ in the address bar and then
Certificate > Details. Well, this revealed more information about the Root certificate and its status.
DST Root CA X3 expired
Ultimately, the end of the DST Root CA X3 certificate was on Sep 30th, 2021, and that caused many devices to invalidate the certificates issued by the authority.
Ok. What’s ROOT certificate?
All the certificates that are issued for HTTPS on the internet are issued by Certificate Authority (CA), an entity that’s trusted by devices and operating systems.
Why did not Windows update ROOT CA?
Some of these certification authorities are built into the browsers and operating system certificate stores and they are supposed to get updated along with OS updates. However, some older devices may not be in the update list and maybe still using the older Root CA which expired on 30th Sep 2021. Also, if the devices using the pirated operating systems, then they may not be eligible to get the latest update.
Nevertheless, you can follow the below steps to fix the issue.
On Windows 7 or 10:
Step 1: Launch
Step 2: Type
certmgr.msc and hit enter.
Step 3: In the certificate manager window, click on ‘
Trusted Root Certification Authorities‘ >
Step 4: Lookout for the ‘
DST Root CA X3‘ entry and click the delete icon to remove it from the Trusted certification authority store.
Step 5: Download the latest CA certificate from this link.
Step 6: Double click on the downloaded file and install it. Remember to choose ‘
Place all certificates in the following store‘ and choose ‘
Trusted Root Certification Authorities'
Step 7: Close the browser and launch it again.
Step 8: Test the website to ensure everything is working fine. If not, you may need to clear the browser cache and try again.
That’s it, this should fix the issue. But can you ask every visitor to your website to do this? Of course not, and this issue may not happen for the visitor who’s using genuine operating systems or a device that receives updates.
Also, the root certificate expiry didn’t affect the Firefox browser, because the browser has its own certificate store and does not rely on the Windows certificate store. Hence updating the Firefox should suffice.
Finally, here is a stack overflow answer that has suggestions for some of the old devices that may be affected due to this issue.