When Let’s Encrypt first launched, we needed to ensure that our certificates were widely trusted. To that end, we arranged to have our intermediate certificates cross-signed by IdenTrust’s DST Root CA X3. This meant that all certificates issued by those intermediates would be trusted, even while our own ISRG Root X1 wasn’t yet. During subsequent years, our Root X1 became widely trusted on its own. Come late 2021, our cross-signed intermediates and DST Root CA X3 itself were expiring.
Let’s Encrypt is one of the best things to ever happen to the Internet. It used to be a pain in the ass and take days to get certificates for domains and set them up on a server and now you can buy a domain and deploy a functional and secure website within 15 minutes. Lowering the barrier to entry for https was a game changer. I appreciate their clear communication about their timeline for changing their signing chain. If anyone is still using an 8 year old Android phone, it’s probably time for an upgrade anyway