Entrust Will Be Distrusted Soon!
Ensuring your website’s security is paramount in today’s digital age. However, recent developments have cast doubt on the reliability of Entrust’s TLS certificates, leading to significant changes in their trustworthiness. If you rely on Entrust for your digital certificates, it’s crucial to understand what these changes mean and how to navigate them to maintain your site’s security.
Entrust Certificate Distrust: What Happened?
On June 27, 2024, Google’s Chrome Security Team (CST) published an article titled “Sustaining Digital Certificate Security – Entrust Certificate Distrust,” which shook the digital security community. The CST announced that due to numerous publicly disclosed incidents over the years, Entrust’s competence, reliability, and integrity as a publicly-trusted Certificate Authority (CA) owner have been significantly compromised. As a result, Chrome’s continued trust in Entrust is no longer justified.
What Is the Chrome Security Team Doing?
Starting from Chrome version 127 and higher, which will be released after October 31, 2024, any TLS certificates issued by Entrust’s root CAs will no longer be trusted. This means that certificates from Entrust, issued after this date, will not be considered valid in Google Chrome, the browser holding over 65.68% of the market share as of June 2024. The following Entrust roots will be affected:
- CN=Entrust Root Certification Authority – EC1
- CN=Entrust Root Certification Authority – G2
- CN=Entrust.net Certification Authority (2048)
- CN=Entrust Root Certification Authority
- CN=Entrust Root Certification Authority – G4
- CN=AffirmTrust Commercial
- CN=AffirmTrust Networking
- CN=AffirmTrust Premium
- CN=AffirmTrust Premium ECC
How to Know if You Are Affected
If your website’s TLS certificate is issued by Entrust, you are directly affected by this change. Additionally, if your certificate was white labelled, it’s essential to verify if the intermediate CA is issued from Entrust Root CA. You can use Chrome’s certificate viewer to check your site’s certificate. Look for the issuing authority in the “Issued By” section to confirm if Entrust is your CA.
What You Need to Do
To ensure your website remains secure and trustworthy, you must purchase a new certificate from another Certificate Authority (CA). Unfortunately, reissuing the certificate through Entrust will not be an option, as all Entrust TLS roots will be distrusted. It is also advisable to seek a refund from Entrust for any losses incurred due to this situation. Here are the steps you should follow:
- Select a New CA: Choose a reputable CA that meets the security standards expected by modern browsers. DigiCert is a highly recommended alternative known for its commitment to innovation and reliability.
- Generate a Certificate Signing Request (CSR): This is the first step in obtaining a new certificate. It involves creating a CSR, which you will submit to your new CA.
- Submit CSR and Obtain New Certificate: Submit the CSR to your chosen CA. They will process your request and issue a new certificate.
- Install the New Certificate: Once issued, you will need to install the new certificate on your server. This process ensures that your site’s communications remain encrypted and secure.
How Urgent Is This Matter?
Immediate action is necessary. Based on our extensive experience as a professional TLS integrator and distributor handling over 500,000 TLS certificates, the process of ordering and issuing an Extended Validation (EV) or Organisation Validation (OV) certificate typically takes about 1-3 weeks, excluding procurement time. Therefore, starting the transition now is critical to avoid disruptions. If you delay, you risk your site becoming inaccessible or untrusted by Chrome users.
Which Certificate Authority to Choose?
DigiCert, a global leader in digital trust, is a highly recommended alternative. DigiCert’s commitment to innovation and reliability ensures that your company’s TLS certificates are in the safest hands, backed by industry-leading encryption and strict industry compliance. Engage with a dedicated account manager to ensure your site remains secure during this transition.
Testing the Impact in Advance
Chrome version 128 includes tools that allow you to simulate the impact of this change. By using these tools, you can prepare and make necessary adjustments before the November 1, 2024 deadline. Testing in advance helps ensure a smooth transition and avoids unexpected disruptions to your site’s accessibility.
User Experience Changes in Chrome 127 and Higher
From November 1, 2024, Chrome users will encounter a full-page warning when accessing sites with certificates issued by Entrust or AffirmTrust after this date. This warning serves to protect users from potentially insecure sites. As a website operator, it is your responsibility to ensure that your site’s visitors do not face these warnings. Transitioning to a trusted CA will maintain user trust and prevent potential security concerns.
Future of Certification Authorities
The need for rigorous standards in the CA industry has never been more apparent. The CA/Browser Forum plays a critical role in setting and enforcing these standards, ensuring that only trustworthy CAs are recognized by major browsers. As the digital landscape continues to evolve, we can expect further scrutiny and higher expectations for CAs, which will ultimately lead to a more secure internet environment. Key areas of focus for the future include:
- Enhanced Validation Processes: Strengthening the processes for issuing and validating certificates to prevent misuse.
- Transparency and Reporting: Increasing transparency in CA operations and improving mechanisms for reporting and addressing security incidents.
- Adapting to New Threats: Continuously evolving security measures to address emerging cyber threats and vulnerabilities.
Google Chrome’s decision to distrust Entrust highlights the importance of rigorous security standards and accountability in the digital world. Website operators must transition to trusted CAs to maintain the security and accessibility of their sites. By staying informed and proactive, we can collectively uphold a safer internet environment. For more detailed information, please refer to Chrome’s official announcements and guidelines. Stay secure and ensure your site remains trusted by users worldwide.