In their announcement of the decision, Google said:
"Over the past several years, publicly disclosed incident reports highlighted a pattern of concerning behaviors by Entrust that fall short of the above expectations, and has eroded confidence in their competence, reliability, and integrity as a publicly-trusted CA Owner".
and
"Certification Authorities (CAs) serve a privileged and trusted role on the Internet that underpin encrypted connections between browsers and websites. With this tremendous responsibility comes an expectation of adhering to reasonable and consensus-driven security and compliance expectations, including those defined by the CA/Browser TLS Baseline Requirements.
Over the past six years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports. When these factors are considered in aggregate and considered against the inherent risk each publicly-trusted CA poses to the Internet ecosystem, it is our opinion that Chrome’s continued trust in Entrust is no longer justified".
Starting with the November 11 stable release of Google Chrome, which all Chrome users will eventually install, public TLS certificates issued from Entrust roots with a Signed Certificate Timestamp (SCT) dated after November 11, 2024, will not be trusted by Chrome.
Any Entrust TLS certificate with an SCT dated on or before November 11, 2024, will be valid for its term. But if you modify, rekey, or renew such a certificate, it will be distrusted.
Mozilla announced that they would distrust Entrust roots as of December 1. Any Entrust TLS certificate with an SCT dated on or before November 30, 2024, will be valid for its term. But if you modify, rekey, or renew such a certificate on or after December 1, it will be distrusted.
Neither Microsoft nor Apple have made announcements on the matter.
We recommend customers start planning their replacement strategy as soon as possible, with an accurate inventory of their certificates. You may already be experiencing outages because of their distrust. This effort involves learning when each certificate will expire, assessing the risk profile of the associated service, and planning the replacement process. Contact us today to start your migration plan.
A variety of tools can connect to your infrastructure to scan and discover certificates in your environment. If you are an Entrust customer, look in your Entrust console for tools to help.
DigiCert customers can use DigiCert® Trust Lifecycle Manager (TLM) and DigiCert CertCentral® to evaluate their environment and identify any Entrust certificates in need of replacement. Contact us if you need help with scanning and discovery.
Getting new certificates is straightforward and fast, provided you are responsive. We will need to validate your domain, which takes seconds, and then validate your organization, which can be done in minutes. The entire process of getting your new certificates can be completed very quickly, in most cases.
Organization Validation (OV) is good for two years. Once you have validated with DigiCert, you only need to complete Domain Validation (DV), which means subsequent certificate requests will be even quicker.
No, DigiCert must perform its own validation process before we can replace your Organization or Extended Validation (EV) certificates from Entrust.
Yes, for a Domain Validation certificate, we only validate the domain, which takes seconds. It requires you to perform simple and quick actions.
There are three principles that distinguish DigiCert and our Certificate Authority (CA) business as a leading provider of digital trust.
First, we diligently follow well-defined processes and use tools specifically developed to mitigate risks, like PKILint.
Second, we work closely with the CA/Browser Forum to respond to issues quickly and transparently; when issues arise, we work quickly to solve them.
Third, we are an active participant in the standards bodies, ensuring that we not only comply with standards but help evolve them for the benefit of industry.
We believe there was never any risk of DigiCert being distrusted during this incident, because we reported the issue as soon as we knew about the error, and we worked with customers and major browser vendors to ensure that replacement of the affected certificates proceeded according to required timelines.
In their announcement of the Entrust distrust, Google said, “When things don’t go right, we expect CA Owners to commit to meaningful and demonstrable change resulting in evidenced continuous improvement.” DigiCert put our full effort into making those changes as soon as possible, and we worked closely with the Chrome group and other browser vendors to collaboratively correct the error with as little disruption to our customers as possible.
The CA/B Forum does not make CA trust/distrust decisions. These decisions are made by certificate-consuming application vendors, which are overwhelmingly large browser vendors (especially Google Chrome).
The Bugzilla forum (on the CA Program) where these issues are discussed is open and public. Be wary of individual claims made in the forum, because individuals disagree, and it often takes time for consensus to emerge among the participants.
Only TLS certificates chaining to Entrust root certificates have been affected, and only those issued on or after November 12, 2024. However, if you want to replace other Entrust certificate products, DigiCert also offers solutions to manage S/MIME, code signing, document signing, verified/common mark certificates, and other types of PKI-based certificate security.
DigiCert Trust Lifecycle Manager accommodates enterprise PKI at scale, working with your existing architecture. Trust Lifecycle Manager allows you to discover certificates issued by any TLS/SSL source, not just those from DigiCert or Entrust. We offer automation for both public and private PKI, and Trust Lifecycle Manager provides a secure workforce management platform, so you can implement role-based access controls with ease.
DigiCert is offering incentives for some customers affected by this event. Please contact us for more details.
If you have been affected, users of the current version of Chrome will get errors attempting to access your sites. If you do not know what certificates you have or who issued them, you should perform an inventory of your cryptographic assets. DigiCert can help you create an inventory. Contact us here for a custom migration plan or for assistance using our new Entrust Discovery Connector.
There is no immediate problem with Entrust TLS certificates issued before November 12. However, as these certificates approach their expiration date you will need to replace them with TLS certificates from a trusted public Certificate Authority like DigiCert.
No. The distrust only applies to public TLS certificates issued by Entrust.
The decision by the Google and Mozilla Root Programs applies to public TLS certificates issued from Entrust roots with a Signed Certificate Timestamp (SCT) dated after November 11, 2024. The decision does not currently impact other public certificates like code signing or S/MIME, issued by Entrust.
You should consult with your legal counsel.
You need to work with a vendor that has experience helping customers migrate during a distrust event. A frequent first step is to inventory all your cryptographic assets. You can then determine what needs to be addressed immediately and plan for any other changes and improvements that should be made.
Yes. To be clear, as of November 12, if you modify, rekey, or renew an existing Entrust TLS certificate the resulting (new) certificate will not be trusted.
DigiCert offers award-winning live support, customization, and representation for easier issuance, management, and mitigation throughout the entire certificate lifecycle. DigiCert is best known for customer support and working with customers to meet all their certificate needs. Let's Encrypt serves an important purpose, but they don't provide all certificate types, a management console, live technical support, or sophisticated ancillary services such as certificate lifecycle management. You can manage all your DigiCert certificates with CertCentral or Trust Lifecycle Manager for certificates issued by other Certificate Authorities.
Yes, but there is at least one published workaround. Quoting the Chrome distrust announcement:
Beginning in Chrome 127, enterprises can override Chrome Root Store constraints like those described for Entrust in this blog post by installing the corresponding root CA certificate as a locally-trusted root on the platform Chrome is running (e.g., installed in the Microsoft Certificate Store as a Trusted Root CA).
Chrome on Android uses the Chrome root store, so it is affected by the distrust. Importantly, as with all iOS software, Chrome on iOS must use the Apple root stores, and therefore, it is not necessarily affected. But Chrome has blocked roots in code before, and Google rescheduled the distrust day to November 12 to coincide with a Chrome version release. This may suggest they will block the roots in the code of that update.
If Apple distrusts Entrust in the future, that will affect all iOS and MacOS devices.
Correct. This is currently limited to WebPKI. Government CAs are separate and are not impacted directly.
Yes, DigiCert Trust Lifecycle Manager will pull inventory from your Entrust Account and give you the 'easy button' to get a new certificate from DigiCert. It also will add the ability to automate the installation and renewal to numerous systems and services.