Google will no longer trust Entrust certificates from October 2024

Tl;dr: Google has announced that as of October 31, 2024, Chrome will no longer trust certificates signed by Entrust root certificates. While there is no immediate impact on existing certificates or those issued before 31st October 2024, organizations should start reviewing their estate now.

On Thursday 27th June 2024, Google announced that it had been “closely following the discussions in the MDSP community regarding Entrust’s compliance failures. Despite being given a clear opportunity to thoroughly and satisfactorily address these issues through an initial report, Entrust’s response failed to meet [Google’s] and the community’s expectations. When provided with yet another chance to rise to the expected level of a public CA Owner, the subsequent report, although superficially improved, still does not offer substantive, convincing evidence of meaningful change.”

“TLS server authentication certificates validating to the following Entrust roots whose earliest Signed Certificate Timestamp (SCT) is dated after October 31, 2024 (GMT), will no longer be trusted by default.”

  • CN=Entrust Root Certification Authority – EC1,OU=See www.entrust.net/legal-terms+OU=(c) 2012 Entrust, Inc. – for authorized use only,O=Entrust, Inc.,C=US 
  • CN=Entrust Root Certification Authority – G2,OU=See www.entrust.net/legal-terms+OU=(c) 2009 Entrust, Inc. – for authorized use only,O=Entrust, Inc.,C=US
  • CN=Entrust.net Certification Authority (2048),OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)+OU=(c) 1999 Entrust.net Limited,O=Entrust.net
  • CN=Entrust Root Certification Authority,OU=www.entrust.net/CPS is incorporated by reference+OU=(c) 2006 Entrust, Inc.,O=Entrust, Inc.,C=US
  • CN=Entrust Root Certification Authority – G4,OU=See www.entrust.net/legal-terms+OU=(c) 2015 Entrust, Inc. – for authorized use only,O=Entrust, Inc.,C=US
  • CN=AffirmTrust Commercial,O=AffirmTrust,C=US
  • CN=AffirmTrust Networking,O=AffirmTrust,C=US
  • CN=AffirmTrust Premium,O=AffirmTrust,C=US
  • CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US

Entrust’s response

Later that same day, Entrust President & CEO Todd Wilkinson released a statement to customers: 

“To address your concerns, there have been no security implications to the events that led to this distrust event, and you can be assured that your certificates are secure. I also want to assure you that Entrust can and will be able to serve your digital certificate needs now and in the future. And our ability to do this extends beyond the public roots covered in Google’s decision.”

What happens next?

While there is precedent for such scenarios, as seen with the distrust of Symantec most recently, the exact next steps remain uncertain. Entrust is expected to announce further plans soon given the urgency of the timeline.

What does this mean for VMC certificates?

VMC certificates issued by Entrust are not currently affected. However, the Gmail team indicated that it is ‘working internally to assess the situation.’ We will keep our customers updated as we learn more.

Action that customers need to start to take

Although Entrust has so far stated it’s business as usual, Red Sift advises customers to be prudent and take the following steps.

  • Review your Certificate inventory using Red Sift Certificates to measure your exposure to Entrust. Even if you think you do not rely on Entrust certificates, it’s still highly recommended that you do this. 
  • Map the parts of your estate that have a dependency on Entrust as a Certification Authority. 
  • Identify any third-party certificates that your services depend on that will be impacted and ensure the vendors concerned understand the current scenario and are taking a pragmatic approach.

How Red Sift can help

This situation highlights why Red Sift Certificates is an essential part of our customers’ security software stack, particularly in today’s decentralized and heavily automated certificate issuance landscape. Without it, security and infrastructure teams may lack visibility into which Certification Authorities (CAs) are utilized and where certificates are deployed.

Red Sift Certificates (formerly known as Hardenize) customers can easily leverage our existing reports to locate all public certificates within their estate, regardless of the issuing CA or the hostnames on which they are deployed. This capability allows them to comprehensively map out and understand their risk exposure, enabling informed decision-making for their organization.

To address the current scenario, we will soon introduce a specific report to our Certificates dashboard. With a single click, customers will be able to view their current exposure and monitor any changes from now until October.

If you are not an existing Red Sift Certificates customer, then request a free demo. Our team will have you up and running within a matter of minutes.

PUBLISHED BY

Red Sift

2 Jul. 2024

SHARE ARTICLE:

Categories

News

Related articles

Beyond DMARC: How Red Sift OnDMARC supports comprehensive DNS hygieneFirst look at DKIM2: The next generation of DKIMSecuring our world: For a safer internetBoosting email security amid recent Coinbase phishing attemptsRed Sift’s Fall 2024 Quarterly Product Release

Recent Posts

VIEW ALL
DMARC
14 Nov. 2024

Beyond DMARC: How Red Sift OnDMARC supports comprehensive DNS hygiene

Red Sift

Registrable domains and DNS play a crucial role in establishing online identity and trust, but their importance is often taken for granted. During new service setups, record updates are often overlooked, accumulating outdated entries. As infrastructure teams become increasingly overstretched,  services may be incorrectly shut down without proper cleanup, leaving behind a sprawl of…

Read more
DKIM
5 Nov. 2024

First look at DKIM2: The next generation of DKIM

Red Sift

In 2011, the original DomainKeys Identified Mail (DKIM1) standard was published. It outlined a method allowing a domain to sign emails, enabling recipients to verify that the email originated from an entity holding a private key that matches the public key published in the domain’s DNS records. Now in 2024, DKIM is ready for…

Read more
Security
31 Oct. 2024

Securing our world: For a safer internet

Jack Lilley

October is Cybersecurity Awareness Month, a time for industries to unite in promoting digital security within today’s complex landscape. Bad actors are leveraging increasingly sophisticated methods—such as email phishing and Business Email Compromise (BEC)—to exploit vulnerabilities, impersonate legitimate contacts, and access sensitive information. CISA Director Jen Easterly advises us to “always think before you…

Read more
Cybersecurity
31 Oct. 2024

Boosting email security amid recent Coinbase phishing attempts

Jack Lilley

In recent weeks, there have been reports of sophisticated phishing attacks disguised as official communication from the cryptocurrency platform, Coinbase. These phishing emails closely mimic Coinbase’s branding and language to build recipient trust and prompt clicks on malicious links. The subject lines of these emails generally follow a format: the sender’s address starts with…

Read more
Red Sift Logo

PLATFORM

The Red Sift Pulse Platform

Internet-scale cybersecurity intelligence meets trusted AI.
OnDMARC

Protect against phishing and BEC attacks.
Brand Trust

Stop brand abuse, fraud and lookalike attacks.
ASM

Continuously discover and manage external-facing and cloud assets.
Certificates

Real-time discovery and seamless monitoring for certificates.

INNOVATION

CUSTOMERS

Resources

Company