Google to distrust Entrust SSL/TLS certificates: What this means for the industry
In a significant move to enhance digital certificate security, Google Chrome has announced its decision to distrust public SSL/TL certificates issued by Entrust after November 11, 2024.
Article updated on 11th September, 2024 due to latest Google announcement.
This announcement has sent not just ripples, but waves through the industry, particularly among Entrust customers who now face the urgent task of transitioning to new Certificate Authorities (CAs) for their digital certificate needs. Current Entrust customers can contact our team at Sectigo for help on what to do next.
The catalyst for distrust
Google's decision to distrust is rooted in a series of compliance failures by Entrust. Over the past several months, Entrust has experienced significant issues, including extremely delayed revocations and multiple lapses in meeting established security standards. Google's Security Blog noted, "Over the past six years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports." This lack of progress and ongoing issues justified the revocation of trust in Entrust's public roots.
To be trusted by a browser, a CA must comply with specific baseline requirements requirements defined by the CA/Browser Forum. Transparency is crucial, as CAs are expected to work in good faith with browsers to fix and prevent issues. Recent root program audits indicated a lack of confidence in Entrust's TLS certificate issuance practices, so this news wasn’t completely unexpected to the industry, and prompted Google's decision to distrust Entrust certificates in the Chrome browser.
What you need to do if you have Entrust certificates
For businesses currently using Entrust certificates services, this development necessitates immediate action. Any website using an Entrust certificate issued after November 11 will be treated as an unsecured site on Google Chrome, and likely other major browsers will follow suit.
This means companies must have a new certificate authority in place to replace certificates expiring after November 11, 2024 to avoid their websites being flagged as untrusted. We highly recommend Entrust customers start searching for a new SSL certificate provider and to ensure there’s no disruption to business operations when the switch occurs.
Choosing a reputable Certificate Authority
Considering Entrust's failings, businesses must reassess their relationships with CAs. A reputable CA should demonstrate robust compliance with industry standards, transparent operations, and a proven track record of cybersecurity and reliability. Companies like Sectigo, which is the world's most chosen commercial CA, offers industry-leading SSL certificates along with comprehensive certificate lifecycle management solutions, presenting viable alternatives for Entrust customers.
Sectigo’s SSL/TLS certificate options include:
Beyond providing SSL certificates, Sectigo Certificate Manager (SCM) is a cloud-native platform that provides full visibility and automated lifecycle management for all public and private certificates, regardless of the issuing CA. It can be instrumental in ensuring a smooth transition from Entrust certificates and maintaining robust security postures.
Industry-wide impact
Google's decision has broader implications beyond the immediate need to source a new CA. It highlights the critical role of Certificate Authorities in maintaining digital trust and the ongoing necessity for stringent compliance and security measures. The CA/B Forum’s standards are designed to protect the integrity of digital communications, and failures like those exhibited by Entrust can erode this trust, necessitating firm actions from browser vendors like Google.
Future outlook:
- Increased Scrutiny: Other CAs will likely face increased scrutiny, prompting a reevaluation of their compliance and security practices.
- Enhanced Standards: The CA/B Forum may introduce more rigorous standards to prevent similar incidents, ensuring that CAs adhere to the highest levels of security and reliability.
- Proactive Measures: Companies should adopt proactive measures in managing their digital certificates, including regular audits, compliance checks, and staying informed about industry developments.
Moving ahead
Google’s distrust of Entrust SSL/TLS certificates serves as a stark reminder of the crucial role that Certificate Authorities play in the digital ecosystem. For businesses, this development is a call to action to reassess and fortify their digital security strategies, ensuring they partner with reliable and compliant CAs. The industry, meanwhile, must continue to evolve, embracing higher standards and more robust compliance measures to maintain and enhance digital trust.
Navigating this transition may be challenging, but with the right tools and partners, businesses can ensure a seamless shift to trusted certificates, safeguarding their operations and customer trust in the digital age. By automating certificate lifecycle management and practicing enterprise-wide crypto-agility, organizations can ensure a seamless CA migration with minimal disruption and maximum security. As the cryptography landscape continues to evolve with new quantum-safe algorithms and 90-day certificates, organizations should implement automation and become crypto-agile today as a best practice for maintaining a resilient security posture.
How Sectigo can help you with simple CA migration
Sectigo Certificate Manager (SCM) is a scalable, CA-agnostic certificate lifecycle management (CLM) solution that automates all certificate processes end-to-end. You can discover, inventory, monitor, replace, revoke and renew all your public and private certificates, through a central management console. Sectigo’s products bring together visibility, automation, and control across on-premises, multi-cloud, hybrid cloud, IoT, and containerized environments to simplify certificate lifecycle management, improve efficiency, build crypto-agility, and ensure continuous compliance.
To quickly migrate from Entrust CA to Sectigo, request a SCM platform demo today or browse through our SSL/TLS certificate options and we will support you through this transition.