Using certificates issued by Entrust? Immediate action is required!

Breaking news! Google advises companies to transition away from Entrust immediately, as they will no longer trust certificates issued by Entrust after October 31, 2024.

In a significant move to maintain the integrity and security of the internet ecosystem, Google Chrome Security Team has announced that, effective October 31, 2024, they will no longer trust digital certificates issued by Entrust. This decision comes in the wake of multiple incident reports highlighting troubling behaviors by Entrust that fail to meet the stringent security and compliance expectations required of Certification Authorities (CAs).

Now, Mozilla, the developer of the Firefox browser, has followed Google’s lead by announcing that they too will no longer trust certificates issued by Entrust from November 30th 2024, citing similar concerns. This joint action by two of the largest browsers underscores the seriousness of the issue and the need for companies to take immediate action to ensure their websites remain secure and trusted by users.

Why is Chrome Taking This Action?

Certification Authorities play a pivotal role in securing online communications, ensuring that the internet remains a trustworthy platform for users worldwide. Given this immense responsibility, CAs must adhere to the highest security and reliability standards. Google’s decision to revoke trust in Entrust is based on a comprehensive evaluation of several public incident reports, which collectively point to a pattern of conduct that undermines confidence in Entrust’s ability to function as a reliable CA.

The Chrome Security Team stated, “When these factors are considered in aggregate and considered against the inherent risk each publicly-trusted CA poses to the Internet ecosystem, it is our opinion that Chrome’s continued trust in Entrust is no longer justified.”

Similarly, Mozilla has expressed concerns over the same issues, emphasizing that maintaining trust in Entrust’s certificates is no longer viable.

What Should Affected Website Operators Do?

For website operators using Entrust-issued certificates, immediate action is required to transition to a new, publicly-trusted CA. To avoid potential disruptions and ensure that your website remains secure and trusted by users, it is crucial to complete this transition before the expiration of your current certificate(s), especially if they expire after October 31, 2024.

Recommended Steps:

Identify All Entrust-Issued Certificates: Conduct an audit of your current digital certificates to identify those issued by Entrust.

Select a New Publicly-Trusted CA: Choose a reliable CA that meets Google’s trust standards and can provide the necessary certificates.

Transition to New Certificates: Begin the process of acquiring and installing new certificates from your selected CA well before the deadline to ensure a smooth transition.

Monitor and Verify: Continuously monitor your website’s certificate status and verify that all new certificates are properly installed and functioning as intended.

Stay Informed
For more detailed information on this important change and guidance on how to transition smoothly, please read the full announcement on the Google Security Blog.