Google to distrust Entrust SSL/TLS certificates: What this means for the industry
In a significant move to enhance digital certificate security, Google has announced its decision to distrust all public SSL certificates issued by Entrust, effective after October 31, 2024.
Table of Contents
This announcement has sent not just ripples, but waves through the industry, particularly among Entrust customers who now face the urgent task of transitioning to new Certificate Authorities (CAs).
The catalyst for distrust
Google's decision is rooted in a series of compliance failures by Entrust. Over the past several months, Entrust has experienced significant issues, including extremely delayed revocations and multiple lapses in meeting established security standards. Google's Security Blog noted, "Over the past six years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports." This lack of progress and ongoing issues justified the revocation of trust in Entrust's public roots.
To be trusted by a browser, a CA must comply with specific requirements defined by the CA/Browser Forum. Transparency is crucial, as CAs are expected to work in good faith with browsers to fix and prevent issues. Recent root program audits indicated a lack of confidence in Entrust's TLS certificate issuance practices, so this news wasn’t completely unexpected to the industry, and prompted Google's decision to distrust Entrust certificates in the Chrome browser.
Implications for businesses
For businesses using Entrust certificates, this development necessitates immediate action. Any website using an Entrust certificate issued after October 31 will be treated as an unsecured site on Google Chrome, and likely other major browsers will follow suit. Companies must source a new certificate authority before the deadline to avoid their websites being flagged as untrusted.
Choosing a reputable Certificate Authority
Considering Entrust's failings, businesses must reassess their relationships with CAs. A reputable CA should demonstrate robust compliance with industry standards, transparent operations, and a proven track record of security and reliability. Companies like Sectigo, which offers comprehensive certificate lifecycle management solutions, present viable alternatives.
Sectigo Certificate Manager (SCM) is a cloud-native platform that provides full visibility and automated lifecycle management for all public and private certificates, regardless of the issuing CA. It can be instrumental in ensuring a smooth transition from Entrust certificates and maintaining robust security postures.
Industry-wide impact
Google's decision has broader implications beyond the immediate need to source a new CA. It highlights the critical role of CAs in maintaining digital trust and the ongoing necessity for stringent compliance and security measures. The CA/B Forum’s standards are designed to protect the integrity of digital communications, and failures like those exhibited by Entrust can erode this trust, necessitating firm actions from browser vendors like Google.
Future outlook:
- Increased Scrutiny: Other CAs will likely face increased scrutiny, prompting a reevaluation of their compliance and security practices.
- Enhanced Standards: The CA/B Forum may introduce more rigorous standards to prevent similar incidents, ensuring that CAs adhere to the highest levels of security and reliability.
- Proactive Measures: Companies should adopt proactive measures in managing their digital certificates, including regular audits, compliance checks, and staying informed about industry developments.
Moving ahead
Google’s distrust of Entrust TLS certificates serves as a stark reminder of the crucial role that Certificate Authorities play in the digital ecosystem. For businesses, this development is a call to action to reassess and fortify their digital security strategies, ensuring they partner with reliable and compliant CAs. The industry, meanwhile, must continue to evolve, embracing higher standards and more robust compliance measures to maintain and enhance digital trust.
Navigating this transition may be challenging, but with the right tools and partners, businesses can ensure a seamless shift to trusted certificates, safeguarding their operations and customer trust in the digital age. By automating certificate lifecycle management and practicing enterprise-wide crypto-agility, organizations can ensure a seamless CA migration with minimal disruption and maximum security. As the cryptography landscape continues to evolve with new quantum-safe algorithms and 90-day certificates, organizations should implement automation and become crypto-agile today as a best practice for maintaining a resilient security posture.
How Sectigo can help you with simple CA migration
Sectigo Certificate Manager (SCM) is a scalable, CA-agnostic certificate lifecycle management (CLM) solution that automates all certificate processes end-to-end. You can discover, inventory, monitor, replace, revoke and renew all your public and private certificates, through a central management console. Sectigo’s products bring together visibility, automation, and control across on-premises, multi-cloud, hybrid cloud, IoT, and containerized environments to simplify certificate lifecycle management, improve efficiency, build crypto-agility, and ensure continuous compliance.
To quickly migrate from Entrust CA to Sectigo, request a demo today and we will support you through this transition.