Google will no longer trust Entrust certificates from October 2024

Tl;dr: Google has announced that as of October 31, 2024, Chrome will no longer trust certificates signed by Entrust root certificates. While there is no immediate impact on existing certificates or those issued before 31st October 2024, organizations should start reviewing their estate now.

On Thursday 27th June 2024, Google announced that it had been “closely following the discussions in the MDSP community regarding Entrust’s compliance failures. Despite being given a clear opportunity to thoroughly and satisfactorily address these issues through an initial report, Entrust’s response failed to meet [Google’s] and the community’s expectations. When provided with yet another chance to rise to the expected level of a public CA Owner, the subsequent report, although superficially improved, still does not offer substantive, convincing evidence of meaningful change.”

“TLS server authentication certificates validating to the following Entrust roots whose earliest Signed Certificate Timestamp (SCT) is dated after October 31, 2024 (GMT), will no longer be trusted by default.”

  • CN=Entrust Root Certification Authority – EC1,OU=See www.entrust.net/legal-terms+OU=(c) 2012 Entrust, Inc. – for authorized use only,O=Entrust, Inc.,C=US 
  • CN=Entrust Root Certification Authority – G2,OU=See www.entrust.net/legal-terms+OU=(c) 2009 Entrust, Inc. – for authorized use only,O=Entrust, Inc.,C=US
  • CN=Entrust.net Certification Authority (2048),OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)+OU=(c) 1999 Entrust.net Limited,O=Entrust.net
  • CN=Entrust Root Certification Authority,OU=www.entrust.net/CPS is incorporated by reference+OU=(c) 2006 Entrust, Inc.,O=Entrust, Inc.,C=US
  • CN=Entrust Root Certification Authority – G4,OU=See www.entrust.net/legal-terms+OU=(c) 2015 Entrust, Inc. – for authorized use only,O=Entrust, Inc.,C=US
  • CN=AffirmTrust Commercial,O=AffirmTrust,C=US
  • CN=AffirmTrust Networking,O=AffirmTrust,C=US
  • CN=AffirmTrust Premium,O=AffirmTrust,C=US
  • CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US

Entrust’s response

Later that same day, Entrust President & CEO Todd Wilkinson released a statement to customers: 

“To address your concerns, there have been no security implications to the events that led to this distrust event, and you can be assured that your certificates are secure. I also want to assure you that Entrust can and will be able to serve your digital certificate needs now and in the future. And our ability to do this extends beyond the public roots covered in Google’s decision.”

What happens next?

While there is precedent for such scenarios, as seen with the distrust of Symantec most recently, the exact next steps remain uncertain. Entrust is expected to announce further plans soon given the urgency of the timeline.

What does this mean for VMC certificates?

VMC certificates issued by Entrust are not currently affected. However, the Gmail team indicated that it is ‘working internally to assess the situation.’ We will keep our customers updated as we learn more.

Action that customers need to start to take

Although Entrust has so far stated it’s business as usual, Red Sift advises customers to be prudent and take the following steps.

  • Review your Certificate inventory using Red Sift Certificates to measure your exposure to Entrust. Even if you think you do not rely on Entrust certificates, it’s still highly recommended that you do this. 
  • Map the parts of your estate that have a dependency on Entrust as a Certification Authority. 
  • Identify any third-party certificates that your services depend on that will be impacted and ensure the vendors concerned understand the current scenario and are taking a pragmatic approach.

How Red Sift can help

This situation highlights why Red Sift Certificates is an essential part of our customers’ security software stack, particularly in today’s decentralized and heavily automated certificate issuance landscape. Without it, security and infrastructure teams may lack visibility into which Certification Authorities (CAs) are utilized and where certificates are deployed.

Red Sift Certificates (formerly known as Hardenize) customers can easily leverage our existing reports to locate all public certificates within their estate, regardless of the issuing CA or the hostnames on which they are deployed. This capability allows them to comprehensively map out and understand their risk exposure, enabling informed decision-making for their organization.

To address the current scenario, we will soon introduce a specific report to our Certificates dashboard. With a single click, customers will be able to view their current exposure and monitor any changes from now until October.

If you are not an existing Red Sift Certificates customer, then request a free demo. Our team will have you up and running within a matter of minutes.

PUBLISHED BY

Red Sift

2 Jul. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
News

Introducing DNS Guardian: Stop impersonation and spam caused by domain takeovers 

Rahul Powar

tl;dr: We’re thrilled to announce DNS Guardian — a new feature in Red Sift OnDMARC that can swiftly identify and stop domain takeovers that lead to malicious mail. Back in February, we shared updates with the community about SubdoMailing – an attack discovered by Guardio Labs. The attack was a form of subdomain takeover,…

Read more
Security

Navigating the Information Security Landscape: ISO 27001 vs. SOC 2

Red Sift

As cyber threats evolve, so do the standards and frameworks designed to combat them. Two of the most recognized standards in information security are ISO 27001 and SOC 2. What sets them apart, and which one is right for your organization? Let’s delve into the key differences. Purpose and Scope: Global Framework vs. Client-Centric…

Read more
News

G2 Summer 2024 Report: Red Sift OnDMARC’s Winning Streak Continues

Francesca Rünger-Field

We’re delighted to announce that Red Sift OnDMARC has again been named a Leader in G2’s DMARC category for Summer 2024. This recognition is based on our high Customer Satisfaction scores and strong market presence. Red Sift appeared in 11 reports – 5 new ones since Spring 2024! – earning 5 badges: A few…

Read more
News

Google will no longer trust Entrust certificates from October 2024

Red Sift

Tl;dr: Google has announced that as of October 31, 2024, Chrome will no longer trust certificates signed by Entrust root certificates. While there is no immediate impact on existing certificates or those issued before 31st October 2024, organizations should start reviewing their estate now. On Thursday 27th June 2024, Google announced that it had…

Read more
News

Understanding the polyfill.io domain attack

Francesca Rünger-Field

tl;dr: The recent compromise of the polyfill.io domain has triggered a broad-reaching web supply chain attack, impacting over 100,000 websites across various sectors including finance, healthcare, non-profits, academia, and more. To ensure the security of your website, we strongly advise you immediately remove any reference to polyfill.io. Latest update: 27th June 2024 Sansec, a…

Read more