Skip to main content

How to install ISRG Root certificate on your machine

· 4 min read
Sudhir M.

Learn how to install ISRG Root certificate to remove the invalid certificate errors caused by caused by expired IdentTrust DST Root after 30th September, 2021

What happened ?

We are using Let's Encrypt to provide TSL certificate (https) to us across our web services. The root certificate used by Let's Encrypt i.e. IdentTrust DST Root CA X3 has been expired on 30th September 2021. Let's Encrypt has switched to using "ISRG Root X1" as the new root certificate. You can read the official announcement here.

These root certificate are part of operating systems and are generally updated during the OS update process. You might be facing this issue if your device doesn't have up-to-date information regarding certificates. If that is the case, you might face the similar issue on other websites as well. The issue looks similar to following:

Your connection is not private
Attackers might be trying to steal your information...


Please follow this guideline on how to fix the above problem.

Restart your System

Before we proceed any further, you MUST restart your devices. Restarting will allow some system updates to be installed automatically. In some cases, this will be sufficient to solve the above problem.

After restart, please open your Sembark dashboard. If everything is working then there are no further actions required.

If the issue still exists, we will have to install the certificate manually. Continue reading to install it on your device.

Download Certificate

We will start by downloading the latest certificate from the official website of Let's Encrypt. Visit from your browser.


You might be prompted with the same error here as well. Simply click on Show Advanced and click on Proceed to visit the website.

Scroll down till the Root Certificates section and download the pem file from the ISRG Root X1 -> Self-signed url. We will use this file to install the certificate.

Image showing Let's Encrypt web page with the Root Certificates

Install Certificate

Windows OS

  1. Open command prompt application. To open it, click on "Windows" key on your keyboard and search for cmd. Click on the "Command Prompt" application from the search results. Image showing how to search for Command Prompt on Windows OS
  2. Type certmgr in the command prompt and press "Enter". This will open the "Certificates Manager" where you can view all your certificate. Image showing the command to open the Certificates Manager on Windows
  3. Under Trusted Root Certification Authorities -> Certificates, you can view the expired DST Root CA X3. Double clicking on it will show more details regarding its expiration. Image showing the expired root certificate on Windows
  4. Now we will install the downloaded certificate. Right click on the Certificates folder and click on All Tasks and then click on Import to start the process. Image showing root certificate import action
  5. That will open the Certificate Import Wizard. Click on NextImage showing first step of certificate import wizard
  6. That will open the file selection dialog. From the bottom-right corner of this dialog, change the drop-down option to All Files (.*)Image showing selection file filters change to all files
  7. Now locate the downloaded pem file and click on it to select it. Once selected, click on Open to continue. Image showing downloaded and selected root certificate
  8. Continue clicking on Next on subsequent screens. Image showing selected certificate path preview on wizard
  9. When prompted with security warning, click on "Yes" and that installation will be completed. Image showing final security confirmation before certificate install
  10. If everything goes well, you will prompted with a success message.

Verify Install

Please visit your Sembark Dashboard and refresh the application. The error should be gone. You should also verify the lock icon in the search bar.

Image showing verified root certificate for Sembark

If you are still facing the issue, please reach out to our support team.