[freerk]

Apparently they will use the same certs as implemented on letsencrypt.org, so the free certs will work without error on every client which trusts the "DST Root CA X3" CA. Can we collect a definitive list of clients which include this CA certificate? Similar to the list for StartSSL (https://forum.startcom.org/viewtopic.php?f=15&t=1802).

Firefox: Mozilla added the certificate in NSS 3.11.9 on 2008-01-31, see http://www-archive.mozilla.org/projects/security/pki/nss/nss... and https://bugzilla.mozilla.org/show_bug.cgi?id=411299 So Firefox starting with 3.0 works

Chrome: When the first Chrome came out it used Mozilla NSS which already included the certificate. Now Chrome uses the OS key store: http://www.chromium.org/Home/chromium-security/root-ca-polic...

Microsoft: The certificate is trusted by default since at least IE8 (http://www.herongyang.com/PKI/HTTPS-IE-8-Trusted-Root-CA-Cer...) and Windows automatically updates the certificates, see http://technet.microsoft.com/en-us/library/cc751157.aspx

Apple: Since iOS 2 (2008-07-11) (http://support.apple.com/en-us/HT2185) and at least since OS X Mavericks (http://support.apple.com/en-us/HT203120), but probably way earlier.

Java: Yes: https://gist.github.com/saltlakeryan/8479238

[iancarroll]

Chrome does not use NSS. It uses the underlying OS root store.

[freerk]

Sure, fixed it. Thanks!