DST Root CA X3 expired Sept 30th 2021

NoN

New member
Guru
Gold Member
VIP
Local time
10:24 PM
Messages
4,101
Location
LostInSpace, Vol15 - Cool It
Hi there, been a while and still using my Windows 7 Sp1 everyday...
Posting this here:

Source (Scott Helme)

Let's Encrypt (chain of trust)

I got some troubleshots on some sites but nothing really serious at the moment. I tried to follow their advices by installing the new self-signed ISRG Root X1 certificat (but not so new 2015) and deleting the expired one, but upon reboot the DST Root CA X3 reappeared in the OS cert store. Therefore i got the two certificates installed now side by side and seems go along together as the OS might point to the old expired one. I've reset the hosts file too, but no change on some sites connectivity.

more infos (certify the web)
 

My Computer My Computer

At a glance

Windows 7 Professional SP1 - x64 [Non-UEFI Boot]Ivy Bridge Core i5 3570K (Delidded)G.Skill "Ares" DDR3 PC3-12800 - 1600MHz (16Gb)Asus Dual-RX480-O4G
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom Build
OS
Windows 7 Professional SP1 - x64 [Non-UEFI Boot]
CPU
Ivy Bridge Core i5 3570K (Delidded)
Motherboard
Asus P8Z77-V LE PLUS
Memory
G.Skill "Ares" DDR3 PC3-12800 - 1600MHz (16Gb)
Graphics Card(s)
Asus Dual-RX480-O4G
Sound Card
Creative Sound Blaster Z w/5.1 sound system
Monitor(s) Displays
Asus IPS 23"
Screen Resolution
16/9
Hard Drives
Internal:
500Go Sata 6Gb/s (x2)
500Go Sata 3Gb/s (x2)
SSD 60Go Sata 6Gb/s
PSU
In Win C 900W Series 80+ Platinum
Case
Thermaltake Chaser A71
Cooling
Custom Water Cooling Loop
Keyboard
Cooler Master QuickFire XTi
Mouse
Razer Imperator 2012 (4G)
Antivirus
MSE
Browser
IE 11.0.xxx Rtm
Other Info
"Raid0" with Intel Smart Response Technology (HDD/SSD)
Yesterday got hit by the same and solved by downloading the new certificate from here:
ISRG Root X1 . SSL-Tools

Get the .pem version, rename to .crt upon download, double click and import into the "trusted root entity certificates" store. I've also had to restart the browser in order for it to catch the change. Everything else just work from that point on.

Deleting the old certificate is not necesary, nor the hosts file has any relevance in this problem.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64Intel Core i7-740QM8 GB DDR3NVIDIA GeForce 330GT
Computer type
Laptop
Computer Manufacturer/Model Number
Toshiba Sattelite A665-S6092
OS
Windows 7 Ultimate x64
CPU
Intel Core i7-740QM
Memory
8 GB DDR3
Graphics Card(s)
NVIDIA GeForce 330GT
Screen Resolution
1366x768
Hard Drives
Samsung 840 SSD 500GB
1TB USB3 external HD
Cooling
Coolermaster Notepal U3 notebook cooling pad
Internet Speed
3mbps ASDL
Antivirus
ClamWin 0.98.7
Browser
Opera 12.17 x86 (main), Firefox 38 (sec), IE11 (last resort)
Yesterday got hit by the same and solved by downloading the new certificate from here:
ISRG Root X1 . SSL-Tools

Get the .pem version, rename to .crt upon download, double click and import into the "trusted root entity certificates" store. I've also had to restart the browser in order for it to catch the change. Everything else just work from that point on.

Deleting the old certificate is not necesary, nor the hosts file has any relevance in this problem.

Thanks for your input.
I heard and see they provide up there the DST Root CA X3 valid until 2024 too.
 

My Computer My Computer

At a glance

Windows 7 Professional SP1 - x64 [Non-UEFI Boot]Ivy Bridge Core i5 3570K (Delidded)G.Skill "Ares" DDR3 PC3-12800 - 1600MHz (16Gb)Asus Dual-RX480-O4G
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom Build
OS
Windows 7 Professional SP1 - x64 [Non-UEFI Boot]
CPU
Ivy Bridge Core i5 3570K (Delidded)
Motherboard
Asus P8Z77-V LE PLUS
Memory
G.Skill "Ares" DDR3 PC3-12800 - 1600MHz (16Gb)
Graphics Card(s)
Asus Dual-RX480-O4G
Sound Card
Creative Sound Blaster Z w/5.1 sound system
Monitor(s) Displays
Asus IPS 23"
Screen Resolution
16/9
Hard Drives
Internal:
500Go Sata 6Gb/s (x2)
500Go Sata 3Gb/s (x2)
SSD 60Go Sata 6Gb/s
PSU
In Win C 900W Series 80+ Platinum
Case
Thermaltake Chaser A71
Cooling
Custom Water Cooling Loop
Keyboard
Cooler Master QuickFire XTi
Mouse
Razer Imperator 2012 (4G)
Antivirus
MSE
Browser
IE 11.0.xxx Rtm
Other Info
"Raid0" with Intel Smart Response Technology (HDD/SSD)
I heard and see they provide up there the DST Root CA X3 valid until 2024 too.
No, the download you see there is a ISRG Root X1 which is signed by DST Root CA X3, not a self signed one which is what you expect for a root CA certificate, so it'll fail in the very same way as you're still using the expired certificate as part of the chain.

For all practical purposes DST Root CA X3 is dead. Just install the new one (valid until 2035) and move on.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64Intel Core i7-740QM8 GB DDR3NVIDIA GeForce 330GT
Computer type
Laptop
Computer Manufacturer/Model Number
Toshiba Sattelite A665-S6092
OS
Windows 7 Ultimate x64
CPU
Intel Core i7-740QM
Memory
8 GB DDR3
Graphics Card(s)
NVIDIA GeForce 330GT
Screen Resolution
1366x768
Hard Drives
Samsung 840 SSD 500GB
1TB USB3 external HD
Cooling
Coolermaster Notepal U3 notebook cooling pad
Internet Speed
3mbps ASDL
Antivirus
ClamWin 0.98.7
Browser
Opera 12.17 x86 (main), Firefox 38 (sec), IE11 (last resort)
Which I did yesterday with the ISRG Root X1..Thx for having clearing it up.
 
Last edited:

My Computer My Computer

At a glance

Windows 7 Professional SP1 - x64 [Non-UEFI Boot]Ivy Bridge Core i5 3570K (Delidded)G.Skill "Ares" DDR3 PC3-12800 - 1600MHz (16Gb)Asus Dual-RX480-O4G
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom Build
OS
Windows 7 Professional SP1 - x64 [Non-UEFI Boot]
CPU
Ivy Bridge Core i5 3570K (Delidded)
Motherboard
Asus P8Z77-V LE PLUS
Memory
G.Skill "Ares" DDR3 PC3-12800 - 1600MHz (16Gb)
Graphics Card(s)
Asus Dual-RX480-O4G
Sound Card
Creative Sound Blaster Z w/5.1 sound system
Monitor(s) Displays
Asus IPS 23"
Screen Resolution
16/9
Hard Drives
Internal:
500Go Sata 6Gb/s (x2)
500Go Sata 3Gb/s (x2)
SSD 60Go Sata 6Gb/s
PSU
In Win C 900W Series 80+ Platinum
Case
Thermaltake Chaser A71
Cooling
Custom Water Cooling Loop
Keyboard
Cooler Master QuickFire XTi
Mouse
Razer Imperator 2012 (4G)
Antivirus
MSE
Browser
IE 11.0.xxx Rtm
Other Info
"Raid0" with Intel Smart Response Technology (HDD/SSD)
No, the download you see there is a ISRG Root X1 which is signed by DST Root CA X3, not a self signed one which is what you expect for a root CA certificate, so it'll fail in the very same way as you're still using the expired certificate as part of the chain.

For all practical purposes DST Root CA X3 is dead. Just install the new one (valid until 2035) and move on.
Alejandro85, can you explain what are those for?
I use Firefox or Edge. Do need those?
 

My Computers My Computers

  • At a glance

    Windows 7 HP 64i5 6600K - 800MHz to 4200MHz4+4G GSkill DDR4 3000IG - Intel 530
    Computer type
    PC/Desktop
    Computer Manufacturer/Model Number
    custom build
    OS
    Windows 7 HP 64
    CPU
    i5 6600K - 800MHz to 4200MHz
    Motherboard
    GA-Z170-HD3P
    Memory
    4+4G GSkill DDR4 3000
    Graphics Card(s)
    IG - Intel 530
    Monitor(s) Displays
    Samsung 226BW
    Screen Resolution
    1680x1050
    Hard Drives
    (1) -1 SM951 – 128GB M.2 AHCI PCIe SSD drive for Windows 7 and Lubuntu
    (2) -1 WD SATA 3 - 1T for Data
    (3) -1 WD SATA 3 - 1T for backup
    PSU
    Thermaltake 450W TR2 gold
    Keyboard
    Old and good Chicony mechanical keyboard
    Mouse
    Logitech mX performance - 9 buttons (had to disable some)
    Internet Speed
    500Mb/s
    Browser
    Firefox 64
    Other Info
    TinyWall firewall
  • At a glance

    Windows 7 Proi7-4500U 800MHz to 3.0GHz(4+4)G DDR3 1600IG intel 4400 + NVIDIA GeForce GT 745M
    Computer type
    Laptop
    System Manufacturer/Model Number
    Asus Q550LF
    OS
    Windows 7 Pro
    CPU
    i7-4500U 800MHz to 3.0GHz
    Motherboard
    Asus Q550LF
    Memory
    (4+4)G DDR3 1600
    Graphics Card(s)
    IG intel 4400 + NVIDIA GeForce GT 745M
    Sound Card
    Realtek
    Monitor(s) Displays
    LG Display LP156WF4-SPH1
    Screen Resolution
    1920 x 1080
    Hard Drives
    BX500 120G SSD for Windows and programs +
    1T HDD for data
    Internet Speed
    500 Mb/s
    Browser
    Firefox
    Other Info
    TinyWall firewall
I forgot to mention that I either put two of the certificates DST Root CA X3 in the Non-Authorized certificates store by drag and drop them there, after unactivated them in their properties. They haven't recreated themselves in their original place (Third-Party store), ISRG Root X1 replace them there. Both are from Let's Encrypt and both tagged "revoked".
 

Attachments

  • R3.JPG
    R3.JPG
    30.8 KB · Views: 5
  • LetsencryptauthorityX3.JPG
    LetsencryptauthorityX3.JPG
    33.1 KB · Views: 5

My Computer My Computer

At a glance

Windows 7 Professional SP1 - x64 [Non-UEFI Boot]Ivy Bridge Core i5 3570K (Delidded)G.Skill "Ares" DDR3 PC3-12800 - 1600MHz (16Gb)Asus Dual-RX480-O4G
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom Build
OS
Windows 7 Professional SP1 - x64 [Non-UEFI Boot]
CPU
Ivy Bridge Core i5 3570K (Delidded)
Motherboard
Asus P8Z77-V LE PLUS
Memory
G.Skill "Ares" DDR3 PC3-12800 - 1600MHz (16Gb)
Graphics Card(s)
Asus Dual-RX480-O4G
Sound Card
Creative Sound Blaster Z w/5.1 sound system
Monitor(s) Displays
Asus IPS 23"
Screen Resolution
16/9
Hard Drives
Internal:
500Go Sata 6Gb/s (x2)
500Go Sata 3Gb/s (x2)
SSD 60Go Sata 6Gb/s
PSU
In Win C 900W Series 80+ Platinum
Case
Thermaltake Chaser A71
Cooling
Custom Water Cooling Loop
Keyboard
Cooler Master QuickFire XTi
Mouse
Razer Imperator 2012 (4G)
Antivirus
MSE
Browser
IE 11.0.xxx Rtm
Other Info
"Raid0" with Intel Smart Response Technology (HDD/SSD)
Back
Top