Back
-
Solutions
Back
Digital Trust for:
Enterprise IT, PKI & Identity
Code & Software Signing
Documents & eSignatures
IoT & Connected Devices
Manage PKI and certificate risk in one place
Quantum is coming.
It's time to prepare.
Quantum is coming.
WATCH REPLAY
It's time to prepare. - Buy
-
Insights
Back
Resources
Explore these pages to discover how DigiCert is helping organizations establish, manage and extend digital trust to solve real-world problems.
-
Partners
Back
- Support
- Contact us
- Language
Switch to DigiCert
TLS/SSL for web
Protect your organization’s reputation and online presence with replacement certificates from DigiCert, trusted by Google and Mozilla.
Entrust Certificate Distrust
Get replacement certificates. Fast.
- Quickly and easily purchase replacement TLS/SSL certificates with a credit card.
- Your purchase includes access to DigiCert CertCentral®, our award-winning website certificate automation manager.
- If you have needs not listed here, contact us. Our team can help create a custom solution.
Looking for a tailored migration experience?
If you have many certificates to replace or other complex technical or business requirements, please contact our team to discuss the best migration path for your organization. DigiCert offers a wide variety of trusted digital certificates, PKI services, and certificate lifecycle management.
Google Chrome and Mozilla to distrust new issuance of Entrust certificates.
Public TLS/SSL certificates issued from Entrust roots will not be trusted by Google Chrome if the Signed Certificate Timestamp (SCT) is dated after November 11, 2024, and by Mozilla if the SCT is dated after November 30, 2024.
- To be trusted by a browser, a public certificate authority must comply with specific requirements defined by the CA/Browser Forum.
- To ensure trust is consistent and continuous, browser root programs receive regular audit reports about Certificate Authority (CA) operations and compliance.
- Transparency and accountability are critical to trust. CAs are expected to work in good faith with the browser root programs to fix and prevent issues.
- Recently, browser root programs indicated a lack of confidence in the TLS certificate issuance practices of Entrust.
- Google ultimately decided to revoke trust for new certificate issuance in Entrust roots on the Chrome browser, a move that was subsequently mirrored by Mozilla Firefox.
What does this mean for Entrust customers?
- Google Chrome will not trust Public TLS certificates with an SCT issued by Entrust roots after November 11, 2024.
- Mozilla Firefox will not trust Public TLS certificates issued by Entrust roots with an earliest SCT after November 30, 2024.
- Servers using these affected issuances of Entrust certificates will display as an unsecured site by Google and Mozilla.
- Any TLS certificate with an SCT dated on or before these distinct Google Chrome and Mozilla Firefox distrust dates are unaffected by the distrust.
We’re here to help
We understand this incident is a business disruption for affected organizations.
As a global leader in globally trusted public and private trust solutions, we are committed to helping you maintain critical operations and ensure business continuity during the transition from Entrust—and beyond.
How we earn your trust
Compliance for all
We’re empowering compliance through innovation and open-source solutions
DigiCert employs a proactive and data-driven approach to compliance—and we even offer our technology freely to help other organizations do the same, including our recent open-source release of PKIlint, an automated certificate linter that enables users to rapidly check certificates for errors and compliance issues.
Global standards and governance
We’re building trust through adherence to global standards
Without a globally accepted body of standards, there is no core foundation for trust. We adhere to all the requirements of the CA/Browser Forum for the issuance and management of certificates.
Public communication and collaboration
We’re committed to transparency and accountability
At DigiCert, transparency is at the core of our commitment to maintaining trust and integrity in digital security. When a revocation incident occurs, we prioritize clear and prompt communication, including the cause, scope, and steps taken to address the issue. Our goal is to ensure that all stakeholders are fully informed and confident in our actions to uphold our commitment to their security and the standards by which we are governed.
Leading by example
We’re dedicated to upholding digital trust
We take our responsibility as a Certificate Authority in the root store of all major browsers very seriously. Our entire company’s sole focus is—and has been for more than two decades—to do everything in our power to deliver digital trust to our customers.
Need assistance navigating your migration from Entrust?
Our experts can help ensure you make the transition without disruption or costly outages. Reach out today.
The Entrust distrust
webinar
What happened, what it means and what steps to take
We helped thousands navigate the Symantec distrust in 2018. Join us for an experience-backed roadmap to avoiding disruption from the Entrust distrust.
Related resources
BLOG
The Entrust distrust: Key takeaways for CAs and organizations
BLOG
Why Compliance is the Foundation of Digital Trust
BLOG
DigiCert Releases Innovative Automated Testing Tool for Digital Certificates
BLOG
What is a CA's role in delivering digital trust?
Video
What is digital trust?
Datasheet
Certificate management for TLS best practices
FAQ
Why did Google decide to distrust Entrust roots?
When will my Entrust certificates be distrusted?
When should I start replacing my current Entrust certificates?
How can I determine if we are using Entrust certificates in our environment?
Why did Google decide to distrust Entrust roots?
In their announcement of the decision, Google said:
Over the past several years, publicly disclosed incident reports highlighted a pattern of concerning behaviors by Entrust that fall short of the above expectations, and has eroded confidence in their competence, reliability, and integrity as a publicly-trusted CA Owner.
And...
Certification Authorities (CAs) serve a privileged and trusted role on the Internet that underpin encrypted connections between browsers and websites. With this tremendous responsibility comes an expectation of adhering to reasonable and consensus-driven security and compliance expectations, including those defined by the CA/Browser TLS Baseline Requirements.
Over the past six years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports. When these factors are considered in aggregate and considered against the inherent risk each publicly-trusted CA poses to the Internet ecosystem, it is our opinion that Chrome’s continued trust in Entrust is no longer justified.
When will my Entrust certificates be distrusted?
Starting with the November 11 stable release of Google Chrome, which all Chrome users will eventually install, public TLS certificates issued from Entrust roots with a Signed Certificate Timestamp (SCT) dated after November 11, 2024, will not be trusted by Chrome.
Mozilla announced that they would distrust Entrust roots as of December 1. Any Entrust TLS certificate with an SCT dated on or before November 30, 2024, will be valid for its term. But if you modify, rekey, or renew such a certificate on or after December 1, it will be distrusted.
Any Entrust TLS certificate with an SCT dated on or before November 11, 2024 (for Google Chrome) and November 30, 2024 (for Mozilla Firefox) will be valid for its term. But if you modify, rekey, or renew such a certificate, it will be distrusted.
When should I start replacing my current Entrust certificates?
We recommend customers start planning their replacement strategy as soon as possible, with an accurate inventory of their certificates. You may already be experiencing outages because of their distrust. This effort involves learning when each certificate will expire, assessing the risk profile of the associated service, and planning the replacement process. Contact us today to start your migration plan.
How can I determine if we are using Entrust certificates in our environment?
A variety of tools can connect to your infrastructure to scan and discover certificates in your environment. If you are an Entrust customer, look in your Entrust console for tools to help.
DigiCert customers can use DigiCert® Trust Lifecycle Manager (TLM) and DigiCert CertCentral® to evaluate their environment and identify any Entrust certificates in need of replacement. Contact us if you need help with scanning and discovery.
-
The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and signing solutions.
-
-
© 2024 DigiCert, Inc. All rights reserved.
Legal Repository Audits & Certifications Terms of Use Privacy Center Accessibility Cookie Settings