Entrust is officially distrusted by Google Chrome with immediate effect!

What: All external Entrust SSL/TLS certificates (including AffirmTrust) issued after October 31, 2024, will be distrusted (external Entrust SSL/TLS certificates issued before November 1, 2024, will not be affected, but can’t be renewed from an Entrust Root CA).

When: Google Chrome 127 is already in beta and expected to go live in production July 17, 2024, which means that all Entrust and AffirmTrust certificates de facto will be untrusted if issued after October 31, 2024. In other words: Now!

Why: This dramatic change happens due to concerning behaviour from Entrust regarding non-compliant security practices and vague explanations to these issues combined with slow and incompetent responses to the questions raised by the industry.

Who: All Entrust SSL/TLS customers including resellers and partners will be affected. Invalid certificates already issued and soon to be not possible to issue certificates from Entrust and AffirmTrust Root CAs.

Sources:

• https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html

• https://groups.google.com/a/ccadb.org/g/public/c/29CRLOPM6OM/m/-tvW5l-lAAAJ?pli=1

Risk assessment:

This could potentially mean that several of your business critical services will stop working during July, when you might be away on your summer holidays, if you don’t manage to replace the distrusted certificates with a trusted certificate.

Google statements and advice:

Google Chrome Root program says: Our decision is based on a consistent pattern of unmet commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports over the past six years. While our decision is firm and one we consider reasonable given the potential for harm a public CA poses to the Internet ecosystem, we encourage Entrust to remain committed to the principles described in their latest report and to demonstrate genuine change. By doing so, they may have the opportunity to regain the trust required to serve as a public CA in the future.

Google Chrome Root program continues: We recommend that affected website operators transition to a new publicly-trusted CA Owner as soon as reasonably possible. To avoid adverse website user impact, action must be completed before the existing certificate(s) expire if expiry is planned to take place after October 31, 2024.

While website operators could delay the impact of blocking action by choosing to collect and install a new TLS certificate issued from Entrust before Chrome’s blocking action begins on November 1, 2024, website operators will inevitably need to collect and install a new TLS certificate from one of the many other CAs included in the Chrome Root Store.

What’s next:

Here’s our simple 3-step plan to fixing the potentially huge problem.

If you are unsure if you will be affected by the distrust of Entrust Root CAs, please contact us for a completely free SSL360 scan with no obligations in order to have a 100% accurate output.

1. Discover all your Entrust (AffirmTrust) SSL/TLS certificates. Contact us and we’ll provide a free SSL360 scan of all of your domains to give you an exact overview and tell you if you’re affected. You can test the scan here: https://trustzone.com/solutions-discovery-tools-ssl-360/#ssl-checker

2. Manage all affected certificates from you SSL360 scan by renewing these instantly with another Certificate Authority (CA) to solve the critical situation short-term. We can help you do this in an easy way.

3. Design your future plan for solving the problem long-term and re-design your workflows and processes if you have more business critical services relying on Entrust PKI components, solutions and products. We can give you advice on best practices based on +20 years of industry experience.

In doubt? Please reach out to us now – we’ll assist you, and help you mitigate catastrophic outages.