IdenTrust has agreed to issue a 3-year cross-sign for our ISRG Root X1 from their DST Root CA X3. The new cross-sign will be somewhat novel because it extends beyond the expiration of DST Root CA X3. This solution works because Android intentionally does not enforce the expiration dates of certificates used as trust anchors.
And later again:
But isn’t DST Root CA X3 expiring?
The self-signed certificate which represents the DST Root CA X3 keypair is expiring. But browser and OS root stores don’t contain certificates per se, they contain “trust anchors”, and the standards for verifying certificates allow implementations to choose whether or not to use fields on trust anchors. Android has intentionally chosen not to use the notAfter field of trust anchors. Just as our ISRG Root X1 hasn’t been added to older Android trust stores, DST Root CA X3 hasn’t been removed. So it can issue a cross-sign whose validity extends beyond the expiration of its own self-signed certificate without any issues.
I find it funny that Android does not enforce the expiration dates of CA root certs. So even though the IdenTrust CA root cert on Android devices has expired, it is still considered valid and any certs signed by it even with dates much later than its own expiry are considered valid. This way IdenTrust can sign LetsEncrypt’s own root cert using which LetsEncrypt can issue other certs. If you are on a non Android device I presume you ignore the IdenTrust root cert as you already trust LetsEncrypt’s root cert, while if you are on Android you trust LetsEncrypt either coz you trust it’s root cert (newer devices) or coz you trust the signature from the expired IdenTrust root cert (older device). It’s a smart workaround.