Google will no longer trust Entrust certificates from October 2024

Tl;dr: Google has announced that as of October 31, 2024, Chrome will no longer trust certificates signed by Entrust root certificates. While there is no immediate impact on existing certificates or those issued before 31st October 2024, organizations should start reviewing their estate now.

On Thursday 27th June 2024, Google announced that it had been “closely following the discussions in the MDSP community regarding Entrust’s compliance failures. Despite being given a clear opportunity to thoroughly and satisfactorily address these issues through an initial report, Entrust’s response failed to meet [Google’s] and the community’s expectations. When provided with yet another chance to rise to the expected level of a public CA Owner, the subsequent report, although superficially improved, still does not offer substantive, convincing evidence of meaningful change.”

“TLS server authentication certificates validating to the following Entrust roots whose earliest Signed Certificate Timestamp (SCT) is dated after October 31, 2024 (GMT), will no longer be trusted by default.”

  • CN=Entrust Root Certification Authority – EC1,OU=See www.entrust.net/legal-terms+OU=(c) 2012 Entrust, Inc. – for authorized use only,O=Entrust, Inc.,C=US 
  • CN=Entrust Root Certification Authority – G2,OU=See www.entrust.net/legal-terms+OU=(c) 2009 Entrust, Inc. – for authorized use only,O=Entrust, Inc.,C=US
  • CN=Entrust.net Certification Authority (2048),OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)+OU=(c) 1999 Entrust.net Limited,O=Entrust.net
  • CN=Entrust Root Certification Authority,OU=www.entrust.net/CPS is incorporated by reference+OU=(c) 2006 Entrust, Inc.,O=Entrust, Inc.,C=US
  • CN=Entrust Root Certification Authority – G4,OU=See www.entrust.net/legal-terms+OU=(c) 2015 Entrust, Inc. – for authorized use only,O=Entrust, Inc.,C=US
  • CN=AffirmTrust Commercial,O=AffirmTrust,C=US
  • CN=AffirmTrust Networking,O=AffirmTrust,C=US
  • CN=AffirmTrust Premium,O=AffirmTrust,C=US
  • CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US

Entrust’s response

Later that same day, Entrust President & CEO Todd Wilkinson released a statement to customers: 

“To address your concerns, there have been no security implications to the events that led to this distrust event, and you can be assured that your certificates are secure. I also want to assure you that Entrust can and will be able to serve your digital certificate needs now and in the future. And our ability to do this extends beyond the public roots covered in Google’s decision.”

What happens next?

While there is precedent for such scenarios, as seen with the distrust of Symantec most recently, the exact next steps remain uncertain. Entrust is expected to announce further plans soon given the urgency of the timeline.

What does this mean for VMC certificates?

VMC certificates issued by Entrust are not currently affected. However, the Gmail team indicated that it is ‘working internally to assess the situation.’ We will keep our customers updated as we learn more.

Action that customers need to start to take

Although Entrust has so far stated it’s business as usual, Red Sift advises customers to be prudent and take the following steps.

  • Review your Certificate inventory using Red Sift Certificates to measure your exposure to Entrust. Even if you think you do not rely on Entrust certificates, it’s still highly recommended that you do this. 
  • Map the parts of your estate that have a dependency on Entrust as a Certification Authority. 
  • Identify any third-party certificates that your services depend on that will be impacted and ensure the vendors concerned understand the current scenario and are taking a pragmatic approach.

How Red Sift can help

This situation highlights why Red Sift Certificates is an essential part of our customers’ security software stack, particularly in today’s decentralized and heavily automated certificate issuance landscape. Without it, security and infrastructure teams may lack visibility into which Certification Authorities (CAs) are utilized and where certificates are deployed.

Red Sift Certificates (formerly known as Hardenize) customers can easily leverage our existing reports to locate all public certificates within their estate, regardless of the issuing CA or the hostnames on which they are deployed. This capability allows them to comprehensively map out and understand their risk exposure, enabling informed decision-making for their organization.

To address the current scenario, we will soon introduce a specific report to our Certificates dashboard. With a single click, customers will be able to view their current exposure and monitor any changes from now until October.

If you are not an existing Red Sift Certificates customer, then request a free demo. Our team will have you up and running within a matter of minutes.

PUBLISHED BY

Red Sift

2 Jul. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
News

Winter wins: Red Sift OnDMARC wraps up 2024 as a G2 DMARC…

Francesca Rünger-Field

The season of giving has brought us another reason to celebrate! Red Sift OnDMARC continues its winning streak in G2’s Winter 2025 report, earning Leader status in the DMARC category for another consecutive season. This recognition reflects our strong market presence and the unwavering satisfaction of our customers. Cheers to wrapping up 2024 on…

Read more
AI

Text classification in the age of LLMs

Phong Nguyen

As natural language processing (NLP) advances, text classification remains a foundational task with applications in spam detection, sentiment analysis, topic categorization, and more. Traditionally, this task depended on rule-based systems and classical machine learning algorithms. However, the emergence of deep learning, transformer architectures, and Large Language Models (LLMs) has transformed text classification, allowing for…

Read more
Security

How to drive cybersecurity as a top business priority

Jack Lilley

Everyone has a role to play in protecting the enterprise. Whether you’re shaping strategy or implementing solutions, aligning efforts to mitigate critical risks ensures a stronger, more resilient enterprise. If you missed Red Sift’s recent webinar on “From Data to Buy-In: Driving Cybersecurity as a Top Business Priority” we’ve got you covered. The session…

Read more
DMARC

BreakSPF: How to mitigate the attack

Red Sift

BreakSPF is a newly identified attack framework that exploits misconfigurations in the Sender Policy Framework (SPF) a widely used email authentication protocol. A common misconfiguration involves overly permissive IP ranges, where SPF records allow large blocks of IP addresses to send emails on behalf of a domain. These ranges often include shared infrastructures like…

Read more