|
|
|
|
|
|
by Walkman
3933 days ago
|
|
|
How a root CA goes into the trust store? I know Firefox embed them, so older versions of it will not include it. OS minor updates (Windows, OS X, ...) ever updates the trust store? How much time actually takes it before I can safely use it and be sure that the majority of browsers accept it? |
|
|
The cross-signature is a delegation of authority from an existing root CA to Let's Encrypt's intermediate CA, saying that Let's Encrypt should also be trusted to issue certificates. Browsers that accept IdenTrust's root, which is widely accepted today, will then also accept the Let's Encrypt certificates as long as the services that present them also present the certificate chain (which includes the cross-signature certificate).
This will happen in parallel to Let's Encrypt's efforts to be accepted as a root CA, and is not dependent on it. For example, if Mozilla decided not to allow Let's Encrypt to be trusted as a root yet, past, current, and future Mozilla browsers would still accept Let's Encrypt end-entity certificates (with the proper chain) because of the cross-signature.
This is discussed in
https://community.letsencrypt.org/t/frequently-asked-questio...
and is also described in more detail at
https://letsencrypt.org/2015/06/04/isrg-ca-certs.html