Entrust distrust: How to move to a new Certificate Authority
Entrust, a once-trusted Certificate Authority (CA), has faced a significant setback as Google and Mozilla have announced they will no longer trust Entrust's SSL/TLS certificates due to security concerns. This move leaves current Entrust customers scrambling to find alternative CAs to ensure secure digital connections, avoid potential cybersecurity risks, and ensure continued protection. This blog will outline steps for migrating certificates, stressing the importance of active management and automation in maintaining digital security.
Article updated on 11th September, 2024 due to latest Google announcement.
Table of Contents
Entrust was once a name in the SSL (Secure Sockets Layer) / TLS (Transport Layer Security) certificate market that many organizations trusted. As a Certificate Authority (CA) committed to securing connections, this company works to help create secure digital experiences while safeguarding vulnerable networks and devices. Unfortunately, Entrust has not lived up to this promise — and with Google no longer "trust[ing] by default" Entrust's digital certificates, and Mozilla also following suit and distrusting these certificates, current Entrust SSL customers are left scrambling for solutions.
This is an eye-opening time for those who once depended on Entrust to deliver robust encryption and authentication. With two of the digital world's biggest players expressing obvious doubt as to Entrust's ability to protect users, it has become clear to current customers that other avenues must be explored. Moving to a different Certificate Authority may seem like a complicated process, but with your organization’s cybersecurity at stake, it’s needed.
Choosing a trusted CA that’s right for your organization to partner with will make the transition easy and take any complications out of the process. Our team at Sectigo is happy to guide this process and deliver greater peace of mind as you find your new normal. Keep reading to learn what's going on with Entrust, what the cybersecurity implications could involve for Entrust customers — and what it takes to migrate to a new Certificate Authority for your SSL certificate services.
Understanding what happened To Entrust
In a recent announcement from Google, the internet giant shared its intention to, as Forbes explains, "revoke Transport Layer Security certificates issued by Entrust...on the grounds of prioritizing the security and privacy of Chrome’s users." Forbes adds that this is a big deal, given the CA's responsibility to "act as the foundation of the encrypted connections that users rely upon between their web browser and the internet."
According to the Google Chrome browser security team, "publicly disclosed incident reports [have] highlighted a pattern of concerning behaviors by Entrust that fall short" of expectations, adding that this has "eroded confidence in [Entrust's] competence, reliability, and integrity as a publicly-trusted."
As a result, users headed to sites with Entrust digital certificates will eventually encounter messages indicating that their connections are not secure or private. Currently, SSL/TLS certificates signed on or prior to 12th Nov should remain valid — but everything changes on November 12nd, when SSL/TLS certificates from Entrust will be distrusted.
In a response to this fiasco, Entrust's CEO Todd Wilkinson issued a statement, explaining, "Our recent mis-issuance incidents arose out of a misinterpretation we made of CA/Browser Forum compliance requirements. In our attempt to resolve this issue, our changes created additional non-security related mis-issuances."
While Wilkinson claims that Entrust has changed key processes and policies to address these issues, a central problem remains: previously satisfied Entrust customers may no longer feel confident that their SSL certificates will provide sufficient protection.
How to move to a new Certificate Authority
With sites using Entrust certificates issued after November 11, 2024 being flagged as unsecure on Chrome, the time to make a change is now. Yes, current certificates may technically remain valid, but it's worth questioning: do they currently provide sufficient protection? To avoid any lapses in coverage, follow these steps to start migrating to a new CA with minimal disruption:
Step 1: evaluate your current situation
First things first: you need to identify and understand all of the digital certificates you are currently using — especially those issued by Entrust. Certificate discovery is an extremely important step in the overall certificate lifecycle management process because having full visibility into your entire certificate inventory will help avoid outages.
Another essential? Determining the extent to which your organization currently depends on features or solutions from your original CA. After all, acquiring new certificates isn't always a big deal — but adjusting long-held processes (such as automated certificate lifecycle management) may take a bit more effort. Once you understand which features you find most valuable, you should be better prepared to uncover similar capabilities from other CAs.
Step 2: choose a new Certificate Authority
There are multiple Certificate Authorities available to choose from. Do your research to avoid future fiascos, such as the current situation with Entrust. As you examine various Certificate Authorities, take a close look at many qualities and caveats. Yes, pricing matters, but this should not be the primary consideration. Rather, this choice hinges on concerns such as:
Customer support: Whether you face technical issues or worry about compliance, you want to feel confident that experts from your new CA will take the time to answer your questions and address your concerns. Take a close look at available support tools and response time to confirm that you'll consistently get the help you need.
Overall reputation: How is your potential new CA regarded by industry leaders? When in doubt, opt for a CA with a solid reputation. Take a close look at reviews, awards, and audits to verify how your future CA is perceived across the digital ecosystem.
Security and compliance: Given the current issues with Entrust, it's clear that security needs to be a priority with any CA. This is best verified by reviewing CA policies, complete with insight into cryptographic practices and incident response.
Automation platform capabilities: An automated approach to certificate lifecycle management (CLM) can improve coverage, minimizing manual effort while also reducing the risk of certificate expiration and associated outages or downtime. Search for CAs that offer robust, automated CLM solutions, complete with central platforms that are easy to navigate.
Integrations: Depending on your DevOps needs, you may be drawn to CAs with robust integrations into your current tech stack. Level up your network architecture and establish digital trust across all relevant hardware, software, and components. A CA-agnostic platform such as Sectigo should make it easy to navigate multi-vendor requirements.
A trusted CA with an excellent reputation, Sectigo is an excellent resource as you get equipped with SSL/TLS certificates. As you navigate this transition, feel free to browse the other digital certificates and other security solutions Sectigo offers.
Step 3: plan the transition
You've found the perfect CA to handle your digital certificate concerns moving forward — now, it's time to plan a seamless transition. Resist the urge to remove your old CA prior to issuing certificates with your new CA. Yes, you may be eager to embrace your CA of choice, but remember: it's possible to get certificates from multiple providers issued for a single domain.
Good news: current certificates should remain operational until they are uninstalled. As you proceed with the transition period, you can seek new certificates from your chosen CA, with these certificates covering the same servers and domains. From there, you can replace previous certificates on your timing; some people prefer to address these immediately following a successful CA transition, but this can also be pursued as these certificates near expiration.
No matter how you choose to navigate the transition, details about this process must be clearly communicated by all impacted parties. This means sharing plans with IT teams, management, and other stakeholders.
Step 4: purchase new certificates
At this point, you should be familiar not only with your previous digital certificate inventory (as revealed during the process completed in step 1), but also, with your SSL/TLS certificate needs moving forward. Now, it's time to actually choose relevant certificates from your new CA. This will call for new validation processes — but ideally, your new CA will walk you through these critical steps.
Step 5: generate certificate signing requests (CSRs)
Be prepared to generate a new certificate signing request (CSR) for each new SSL certificate. All CSRs must contain accurate information: your organization's legal name, the Fully Qualified Domain Name (FQDN), the division managing the certificate, and your locality. Creating the CSR will result in the generation of a new public key — half of the ensuing certificate's key pair. This forms the foundation of digital trust and a critical component of the Public Key Infrastructure (PKI) framework.
Step 6: install new certificates
There are many ways to install digital certificates. Again, your CA can walk you through this process, although a lot depends on the type of server or application used. This process could potentially involve uploading certificate files, editing configuration files, or importing and binding certificates. Don't forget to verify installations, checking that all digital certificates are correctly applied.
Step 7: monitor and manage
Don't simply assume that your digital certificates will always continue to provide the robust security you desire. Active monitoring and management are crucial. Regular audits are a must, along with compliance checks.
Beyond this, simply remaining informed is essential; make a point of following trusted news sources to determine whether any big changes are in store for the overarching cybersecurity encryption and authentication landscape.
Consider automating certificate lifecycle management
A shift to 90-day validity periods could be just around the corner — and it's never too early to get prepared with an automated approach to certificate renewals and to certificate lifecycle management. An automated CLM can limit administrative burdens while driving greater efficiency and accuracy in all aspects of the certificate lifecycle. Without automated solutions, certificate expiration becomes far more of a risk.
Sectigo makes the switch to a new CA simple
Trusting Entrust certificates may no longer be feasible, but thankfully, other options are available. This could be a great time to switch to a reputable alternative like Sectigo, while also adopting valuable solutions such as automated certificate lifecycle management. Be prepared to find a solution before Google's imposed November 12nd deadline of distrusting Entrust certificates.
Sectigo Certificate Manager (SCM), a CA-agnostic certificate lifecycle solution, could bridge the gap by automating all essential certificate processes: discovery, inventory, monitoring, replacing, revoking, and renewing. Our end-to-end solution should provide extra peace of mind as you navigate this important transition. Book a demo today to discover SCM in action.
Want to learn more? Get in touch to book a demo of Sectigo Certificate Manager!
Related posts:
What it takes to be a reputable Certificate Authority
Certificate Authorities: What they are & why they’re important
Google to distrust Entrust SSL/TLS certificates: What this means for the industry