On september the 30th of 2021, the <a target="_blank" href="https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/">Let's Encrypt DST Root CA X3 certificate expired</a> .
If you are hosting a website on Windows Server with IIS, if you generated your TLS certificates with win-acme and if you don't have the new ISRG Root X1 certificate in your Windows trust store, the certificates of your website were signed with the now obsolete DST Root CA X3, and your website/service might not be accessible by some clients.
To generate certificates signed with the ISRG root certificate, you need to first install this Root cert in your trust store.
<ul>
<li>On your Windows Server, download the self-signed ISRG Root X1 der certificate : <a href="https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/" class="autolinkedURL autolinkedURL-url" target="_blank">letsencrypt.org/docs/dst-root-ca-x3-expirat..</a>
</li>
<li>Then install the certificate. 
</li>
<li>Disable the old DST Root CA X3 : Windows &gt; "Manage computer certificates" &gt; Trusted Root Certification Authorities &gt; Certificates Then right-click "DST Root CA X3" &gt; Properties and tick "Disable all purpose for this certificate".
</li>
</ul>
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1632997720007/jGQC09yDj.png" alt="image.png" />
You can now generate new valid certificates for your websites with <a target="_blank" href="https://www.win-acme.com/">win-acme</a> client.

On september the 30th of 2021, the  [Let's Encrypt DST Root CA X3 certificate expired](https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/) .

If you are hosting a website on Windows Server with IIS, if you generated your TLS certificates with win-acme and if you don't have the new ISRG Root X1 certificate in your Windows trust store, the certificates of your website were signed with the now obsolete DST Root CA X3, and your website/service might not be accessible by some clients.

To generate certificates signed with the ISRG root certificate, you need to first install this Root cert in your trust store.

- On your Windows Server, download the self-signed ISRG Root X1 **der** certificate :  
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

- Then install the certificate. 

- Disable the old DST Root CA X3 :    
Windows > "Manage computer certificates" > Trusted Root Certification Authorities > Certificates  
Then right-click "DST Root CA X3" > Properties and tick "Disable all purpose for this certificate".

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1632997720007/jGQC09yDj.png)


You can now generate new valid certificates for your websites with  [win-acme](https://www.win-acme.com/)  client. 

Alexandre Hausherr's Blog

Alexandre Hausherr's Blog

ISRG Root X1 signed certificates with win-acme for IIS