[hashamali]

> For the last five years, Let’s Encrypt has had one root: the ISRG Root X1, which has a 4096-bit RSA key and is valid until 2035.

Somewhat tangential, but what happens to all active certificates when the root key expires?

[masklinn]

> what happens to all active certificates when the root key expires?

They expire, but normally the CA wouldn't issue certificates outliving their root.

It can be a concern for legacy devices whose trust store doesn't get updated, but really no more so than any other cert expiration or revocation.

[LeonM]

CAs simply never sign a cert with an expiry longer than their own root cert.

Thus, by the time the root cert expires, all client certs will already be expired.

[akadruid1]

This actually happened recently and some older stuff stopped working. there's a write up here: https://www.namecheap.com/blog/sectigo-ssl-certificate-root-...

[user5994461]

That blog article is a poor explanation of the issue.

The root CA from namecheap was expiring. They tried to recreate it, only changing the date, to continue to issue certificates to customers with it the same way.

They hoped users/systems would accept their newer CA automatically after the old CA expired. CA are additive, there are many configured on a system, it's standard practice to add more by keeping existing ones and adding new ones.

This blew up in their face monumentally because having two identical CA is conflicting. Things failed to verify after the original CA expired.

[axaxs]

They all become untrusted, if the verifier does their job. That said, a root doesn't issue site level certificates, so the intermediates and issued certs themselves would expire first.

[Ayesh]

Any untrusted, expired, or revoked certificate in the certificate chain (includes root, lead certificate, and all intermediates), means the client will not trust the connected.