Google has announced that its Chrome browser will stop trusting TLS server authentication certificates issued by Entrust and AffirmTrust starting November 1, 2024.
This decision follows Entrust’s series of compliance failures and unmet improvement commitments, which have eroded Google’s confidence in the certificate authority’s (CA) competence and reliability.
Certificate Authorities (CAs) play a crucial role in internet security by issuing digital certificates that verify website authenticity and enable encrypted connections between browsers and web servers.
These certificates ensure that data transmitted between users and websites remains private and secure. However, the integrity of this system relies heavily on the trustworthiness of the CAs.
Over the past several years, Entrust has been the subject of numerous publicly disclosed incident reports highlighting a pattern of concerning behaviors.
Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan
These include compliance failures, unmet commitments to improve, and a lack of tangible progress in addressing security issues.
When considered in aggregate, Google’s Chrome Security Team stated that these factors pose significant risks to the internet ecosystem, making continued trust in Entrust untenable.
Implementation and Impact
The blocking action will commence with the release of Chrome version 127 and affect all major operating systems, including Windows, macOS, ChromeOS, Android, and Linux. However, due to Apple’s policies, Chrome for iOS will not be affected as it does not use the Chrome Root Store.
Starting November 1, 2024, Chrome will no longer trust TLS server authentication certificates validating to the following Entrust roots if their earliest Signed Certificate Timestamp (SCT) is dated after October 31, 2024:
- Entrust Root Certification Authority – EC1
- Entrust Root Certification Authority – G2
- Entrust.net Certification Authority (2048)
- Entrust Root Certification Authority (2006)
- Entrust Root Certification Authority – G4
- AffirmTrust Commercial
- AffirmTrust Networking
- AffirmTrust Premium
- AffirmTrust Premium ECC
Certificates issued before this date will remain trusted until they expire. Users navigating to websites with affected certificates will see a full-page interstitial warning that their connection is not secure.
Website operators using certificates from Entrust or AffirmTrust are urged to transition to a new publicly-trusted CA included in the Chrome Root Store before the November 1, 2024, deadline.
This proactive measure will help operators avoid disruptions and ensure continued trust in their websites. Operators can use the Chrome Certificate Viewer to check if their certificates are affected and should begin obtaining and installing new certificates as soon as possible.
Enterprises using Entrust certificates for internal networks can override the Chrome Root Store constraints by installing the corresponding root CA certificate as a locally trusted root on Chrome’s platform.
This can be done through platform-specific instructions, such as using a Group Policy Object on Windows.
Google’s decision to block Entrust certificates underscores the importance of maintaining high security and compliance standards in the digital certificate ecosystem.
As the November 2024 deadline approaches, affected organizations must act swiftly to transition to trusted CAs to ensure uninterrupted and secure web interactions for their users.
How can website operators verify
Website operators can verify if their certificates are issued by Entrust or AffirmTrust using the Chrome Certificate Viewer. Here are the steps:
- Navigate to the website: Open the website you want to check (e.g., https://www.cybersecuritynews.com).
- Open the security details:
- Click the “Tune” icon (usually represented by a padlock or similar icon in the address bar).
- Click “Connection is Secure.”
- Click “Certificate is Valid” to open the Chrome Certificate Viewer.
- Check the issuer details:
- In the Chrome Certificate Viewer, look under the “Issued By” heading.
- If the “Organization (O)” field contains “Entrust” or “AffirmTrust”, the certificate is issued by one of these entities, and action is required.
- If the “Organization (O)” field does not contain “Entrust” or “AffirmTrust”, no action is required.
By following these steps, website operators can determine if their certificates are affected by the upcoming changes in Google Chrome.
Google has not explicitly recommended that specific certificate authorities (CAs) replace Entrust or AffirmTrust. However, they advise website operators to transition to any publicly-trusted CA included in the Chrome Root Store. Here are some general steps and considerations for selecting a new CA:
Steps to Transition to a New CA
- Identify Trusted CAs:
- Review the list of CAs included in the Chrome Root Store. This list includes well-known CAs such as DigiCert, GlobalSign, Sectigo, Let’s Encrypt, and others.
- Evaluate CA Offerings:
- Compare the services, pricing, and support offered by different CAs. Consider factors such as the types of certificates offered (e.g., DV, OV, EV), issuance times, and customer support.
- Generate a Certificate Signing Request (CSR):
- Create a CSR for your domain. This process typically involves generating a private key and a CSR file that includes your domain information.
- Purchase and Obtain the Certificate:
- Purchase the desired certificate from the selected CA and complete any required validation steps. The CA will issue the certificate after verifying your domain ownership.
- Install the New Certificate:
- Replace the existing Entrust or AffirmTrust certificate with the new one on your web server. Ensure that all configurations are updated to use the new certificate.
- Test the New Setup:
- Verify that the new certificate is correctly installed and that your website functions as expected. Use tools like SSL Labs’ SSL Test to check for any issues.
Recommended CAs
While Google has not specified particular CAs, here are some widely recognized and trusted CAs you might consider:
- DigiCert: Known for high assurance and fast issuance times.
- GlobalSign: Offers a wide range of certificates and strong customer support.
- Sectigo: Provides affordable options and a comprehensive range of certificates.
- Let’s Encrypt: Offers free, automated certificates, ideal for smaller websites and projects.
- GoDaddy: Popular for its user-friendly interface and extensive support.
Stay in the loop with the latest cybersecurity by following us on Linkedin and X for daily updates!