Is Your Site Secure? Entrust’s Trustworthiness in Question

Leave a Comment / By /

Is Your Site Secure? Entrust's Trustworthiness in Question

is-your-site-secure
In today’s digital era, website security is crucial. Recent issues have called the reliability of Entrust’s TLS certificates into question, leading to significant changes in their trustworthiness. If you use Entrust for your digital certificates, it’s essential to understand these changes and how to adapt to maintain your site’s security.
Entrust-Certificate-Distrust

What Happened with Entrust Certificates?

On June 27, 2024, Google’s Chrome Security Team (CST) published a critical article, “Sustaining Digital Certificate Security – Entrust Certificate Distrust,” causing a stir in the digital security community. The CST cited multiple public incidents that have severely compromised Entrust’s competence, reliability, and integrity as a trusted Certificate Authority (CA). Consequently, Chrome will no longer trust Entrust.

Actions by the Chrome Security Team

From Chrome version 127, released after October 31, 2024, TLS certificates issued by Entrust’s root CAs will not be trusted. This affects a substantial portion of the market, as Chrome holds over 65.68% of the browser market share as of June 2024. The affected Entrust roots include:

How-to--Know-if-You-Are-Affected

Are You Affected?

If your website uses a TLS certificate issued by Entrust, you are directly impacted. Check if your certificate was white-labelled and if the intermediate CA was issued from Entrust Root CA. Use Chrome’s certificate viewer to verify your site’s certificate issuer.
What-You-Need-to-Do

Steps to Take

To keep your website secure and trustworthy, you must acquire a new certificate from a different CA. Reissuing through Entrust is not an option. Seek a refund from Entrust for any losses. Follow these steps:

1. Select a New CA: Choose a reputable CA like DigiCert, known for its innovation and reliability.

2. Generate a Certificate Signing Request (CSR): Create and submit a CSR to your new CA.

3. Submit CSR and Obtain New Certificate: The CA will process your request and issue a new certificate.

4. Install the New Certificate: Ensure the new certificate is installed on your server to maintain encrypted and secure communications.

Urgency of the Matter

Immediate action is needed. Transitioning from Entrust to a new CA can take 1-3 weeks for Extended Validation (EV) or Organisation Validation (OV) certificates. Start the process now to avoid disruptions and ensure your site remains accessible and trusted by Chrome users.

Choosing a Certificate Authority

DigiCert is a recommended alternative. Known for its commitment to security, DigiCert ensures your TLS certificates are backed by industry-leading encryption and compliance. Engage with a dedicated account manager to secure your site during this transition.
Testing-the-Impact-in-Advance

Testing in Advance

Chrome version 128 offers tools to simulate the impact of these changes. Testing before the November 1, 2024 deadline ensures a smooth transition and avoids unexpected disruptions to your site’s accessibility.

User Experience Changes in Chrome 127 and Higher

From November 1, 2024, Chrome users will see a full-page warning for sites with certificates issued by Entrust or AffirmTrust after this date. To prevent these warnings and maintain user trust, transition to a trusted CA.

Steps for Enterprises

For enterprises managing internal networks, maintaining trust involves installing the necessary root CA certificates locally. Steps include:

1. Audit Current Certificates: Identify all Entrust-issued certificates and their expiration dates.

2. Plan Transition: Develop a timeline for transitioning to a new CA, prioritising certificates nearing expiration.

3. Communicate with Stakeholders: Inform all relevant parties about the changes and actions being taken.

4. Implement and Test: Install new certificates and test systems to ensure seamless integration.

Future-of-Certification-Authorities

Future of Certification Authorities

The CA industry must uphold rigorous standards. The CA/Browser Forum is crucial in enforcing these standards, ensuring only trustworthy CAs are recognised. Future focus areas include:
  • Enhanced Validation Processes: Strengthening issuance and validation processes to prevent misuse. 
  • Transparency and Reporting: Increasing CA operation transparency and improving security incident reporting. 
  • Adapting to New Threats: Continuously evolving security measures to counter emerging threats and vulnerabilities. 
Google Chrome’s decision to distrust Entrust underscores the need for stringent security standards and accountability. Website operators must transition to trusted CAs to maintain site security and accessibility. Stay informed and proactive to ensure a safer internet environment. For detailed information, refer to Chrome’s official announcements and guidelines. Stay secure and keep your site trusted by users worldwide.
Scroll to Top