Let’s Encrypt WILL support Windows XP very soon

Update Wed 30 March 2016:  Windows XP browsers ARE NOW SUPPORTED – you don’t need to do anything for this to take effect other than renew your certificate and restart Apache or Nginx.

At present, Let’s Encrypt certificates don’t work on Windows XP (except for Firefox.) This is because IdenTrust, their cross-signatory, requires a certificate extension known as “NameConstraints” to prevent certificates being signed for .mil (or US military) domains.  It looks a bit like this:

     [1]Subtrees (0..Max):
          DNS Name=.mil

Unfortunately XP doesn’t understand this so the certificate breaks.

Anyway, they’ve resolved this nowbut as the certificates will still be from IdenTrust I’m unclear how exactly, the new intermediate certificate won’t have nameConstraints.

This is excellent: it’ll mean there are no real arguments against moving all your existing (paid) certificates over when – or even before – they expire, or adding https:// support to sites without it.

You will need to renew all your certificates to get WinXP support, however one of the advantages of Let’s Encrypt is that the certificates have a short lifetime (3 months), so everyone gets upgraded quickly.  They may make the lifetime shorter in future, if anything.

Note also, the service is still in beta and I would hesitate to criticise them for a problem caused by a deprecated OS, compounded by a political issue.  The rest of the product is already close to perfect.

I have published some Let’s Encrypt tips.