Tl;dr: Google has announced that as of October 31, 2024, Chrome will no longer trust certificates signed by Entrust root certificates. While there is no immediate impact on existing certificates or those issued before 31st October 2024, organizations should start reviewing their estate now.
On Thursday 27th June 2024, Google announced that it had been “closely following the discussions in the MDSP community regarding Entrust’s compliance failures. Despite being given a clear opportunity to thoroughly and satisfactorily address these issues through an initial report, Entrust’s response failed to meet [Google’s] and the community’s expectations. When provided with yet another chance to rise to the expected level of a public CA Owner, the subsequent report, although superficially improved, still does not offer substantive, convincing evidence of meaningful change.”
“TLS server authentication certificates validating to the following Entrust roots whose earliest Signed Certificate Timestamp (SCT) is dated after October 31, 2024 (GMT), will no longer be trusted by default.”
- CN=Entrust Root Certification Authority – EC1,OU=See www.entrust.net/legal-terms+OU=(c) 2012 Entrust, Inc. – for authorized use only,O=Entrust, Inc.,C=US
- CN=Entrust Root Certification Authority – G2,OU=See www.entrust.net/legal-terms+OU=(c) 2009 Entrust, Inc. – for authorized use only,O=Entrust, Inc.,C=US
- CN=Entrust.net Certification Authority (2048),OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)+OU=(c) 1999 Entrust.net Limited,O=Entrust.net
- CN=Entrust Root Certification Authority,OU=www.entrust.net/CPS is incorporated by reference+OU=(c) 2006 Entrust, Inc.,O=Entrust, Inc.,C=US
- CN=Entrust Root Certification Authority – G4,OU=See www.entrust.net/legal-terms+OU=(c) 2015 Entrust, Inc. – for authorized use only,O=Entrust, Inc.,C=US
- CN=AffirmTrust Commercial,O=AffirmTrust,C=US
- CN=AffirmTrust Networking,O=AffirmTrust,C=US
- CN=AffirmTrust Premium,O=AffirmTrust,C=US
- CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US
Entrust’s response
Later that same day, Entrust President & CEO Todd Wilkinson released a statement to customers:
“To address your concerns, there have been no security implications to the events that led to this distrust event, and you can be assured that your certificates are secure. I also want to assure you that Entrust can and will be able to serve your digital certificate needs now and in the future. And our ability to do this extends beyond the public roots covered in Google’s decision.”
What happens next?
While there is precedent for such scenarios, as seen with the distrust of Symantec most recently, the exact next steps remain uncertain. Entrust is expected to announce further plans soon given the urgency of the timeline.
What does this mean for VMC certificates?
VMC certificates issued by Entrust are not currently affected. However, the Gmail team indicated that it is ‘working internally to assess the situation.’ We will keep our customers updated as we learn more.
Action that customers need to start to take
Although Entrust has so far stated it’s business as usual, Red Sift advises customers to be prudent and take the following steps.
- Review your Certificate inventory using Red Sift Certificates to measure your exposure to Entrust. Even if you think you do not rely on Entrust certificates, it’s still highly recommended that you do this.
- Map the parts of your estate that have a dependency on Entrust as a Certification Authority.
- Identify any third-party certificates that your services depend on that will be impacted and ensure the vendors concerned understand the current scenario and are taking a pragmatic approach.
How Red Sift can help
This situation highlights why Red Sift Certificates is an essential part of our customers’ security software stack, particularly in today’s decentralized and heavily automated certificate issuance landscape. Without it, security and infrastructure teams may lack visibility into which Certification Authorities (CAs) are utilized and where certificates are deployed.
Red Sift Certificates (formerly known as Hardenize) customers can easily leverage our existing reports to locate all public certificates within their estate, regardless of the issuing CA or the hostnames on which they are deployed. This capability allows them to comprehensively map out and understand their risk exposure, enabling informed decision-making for their organization.
To address the current scenario, we will soon introduce a specific report to our Certificates dashboard. With a single click, customers will be able to view their current exposure and monitor any changes from now until October.
If you are not an existing Red Sift Certificates customer, then request a free demo. Our team will have you up and running within a matter of minutes.
