When Mozilla announced its decision to distrust Entrust-issued TLS/SSL certificates, the cybersecurity world took notice. Headlines—including many here at DigiCert—zeroed in on the reasons behind the distrust and on the when, where, and how Entrust customers needed to replace their certificates. 

But the full story extends far beyond browser-based interactions. Mozilla’s decision has cascading implications that ripple through every ecosystem dependent upon its trust store, with significant consequences for platforms, applications, and end users alike. 

Beyond Firefox: The cascading effect of Mozilla’s decision to distrust

Mozilla’s distrust of Entrust roots isn't limited to Firefox—it has the potential to trickle down to a number of platforms and applications. That’s because the Mozilla trust store is relied upon by numerous non-browser TLS clients in open-source ecosystems, including Linux environments, Oracle systems, curl development tools, and other crucial technologies that are used every day. 

When these systems encounter a distrusted or expired certificate, it won’t just be a momentary inconvenience—it could grind operations to a halt. Here’s a closer look at the systems and tools affected. 

Oracle systems

Oracle's enterprise tools depend heavily on trusted certificates for secure communication. Distrust of Entrust root certificates affects these environments, but the real kicker lies in Java's reliance on these roots. 

Java serves as the backbone for countless mission-critical applications, from CRM solutions like Salesforce to big data analytics and mobile apps. Automated systems that fail because of a bad certificate will cause outages and disruptions, which means a breakdown in trust at this level doesn’t just disrupt workflows—it jeopardizes the security and reliability of some of the most essential tools in the enterprise arsenal. 

Linux distributions

Many Linux distributions use Mozilla’s Network Security Services (NSS), an open-source implementation of the crypto libraries used by Red Hat, Google, and other companies in a variety of products. The distrust has a domino effect, affecting package managers, system updates, and other essential processes, which creates widespread challenges across diverse Linux-based environments.

curl and OpenSSL developers

The curl tool is indispensable for making API calls, automating scripts, and interacting with web services. OpenSSL is similarly foundational for secure communication on servers and websites. When certificates lose trust, the developers who rely on them face errors, delays, and disruptions that ripple through the entire development and deployment lifecycle.

Email clients

Even email clients like Mozilla Thunderbird, with its robust user base, aren’t immune. Thunderbird doubles as a personal information manager, handling calendars, contacts, and RSS feeds. Distrusted Entrust root certificates could interrupt these functions, creating headaches for users relying on its seamless functionality.

What your organization can do to stay secure

Trust is essential to enabling the interconnectedness of modern digital ecosystems. It’s crucial for organizations to prepare for and respond to root store changes to ensure the security and trustworthiness of their digital communications.

Follow these steps to ensure distrusted roots don’t impact your organization.

1. Continuously audit: Commit to regular audits and continuous monitoring to identify Entrust roots and Entrust-issued certificates so you can detect and replace affected certificates with trusted alternatives.

2. Prepare an incident response plan: Maintain an updated incident response plan to handle certificate authority (CA) compromises efficiently and remove any certificates pinned to Entrust roots or ICAs. 

3. Automate compliance monitoring:  Run automated compliance checks on your certificates with tools like pkilint, DigiCert’s free open-source certificate linter.

4. Automate certificate management: Automate your certificate lifecycle management (CLM) so you can quickly discover and replace problem certificates—before they become a problem.

The best way to protect your organization from future threats

Many organizations still rely on manual processes like tracking certificates with spreadsheets—an approach that makes it very difficult to pivot when things go wrong.

Implementing an automated CLM tool like DigiCert Trust Lifecycle Manager ensures that every certificate can be monitored, renewed, and replaced seamlessly. By automating your certificate management, your organization will get the crypto-agility it needs to avoid service disruptions, maintain compliance, and meet the CA/B Forum’s strict deadlines when a certificate gets revoked.

The latest developments in digital trust

Want to learn more about topics like crypto-agility, automation, and certificate lifecycle management? Subscribe to the DigiCert blog to ensure you never miss a story.