Google Is No Longer Supporting Entrust TLS Certificates. What You Need To Know

Support ceases Nov. 1.

Last week, Google announced that it will no longer trust Entrust TLS certificates as of Nov. 1, 2024.

According to one report by AppViewX—a company that offers certificate life-cycle management—90 percent of Fortune 1000 companies use more than three certificate authorities (CAs) and almost 21 percent use CAs from Entrust.

If your organization is using Entrust-issued certificates, what does this mean for you? Here's a breakdown:

Why Is Google Untrusting Entrust?

Google presented its concerns with Entrust in a blog post last week:

"Over the past several years, publicly disclosed incident reports highlighted a pattern of concerning behaviors by Entrust," the post read in part and said that those reports "eroded confidence in their competence, reliability, and integrity as a publicly-trusted CA Owner."

"Entrust has issued certificates without the serverAuth EKU which are unsuitable for TLS server authentication, increasing the risk of man-in-the-middle (MITM) attacks and compromising secure connections. The certificates using SHA-256 with ECC P-384 keys, against policy requiring SHA-384, create a compliance gap and potential security weaknesses. This mis-issuance can lead to reduced cryptographic strength, making it easier for attackers to exploit vulnerabilities, thereby compromising the security and integrity of encrypted communications," AppViewX posted on its blog, summing up the technical aspects of Google's decision.

Entrust said in a statement to MES Computing: "The decision by the Chrome Root Program came as a disappointment to us as a long-term member of the CA/Browser Forum community. We are committed to the public TLS certificate business and are working on plans to provide continuity to our customers."

Entrust CEO Todd Wilkinson also weighed in on Google's decision in a blog post on the company's site.

"We are committed to improvement. And Entrust continues to have operational capabilities to serve our customers' public and private digital certificate needs. These capabilities extend beyond the issuing roots in question," Wilkinson wrote.

"Our recent mis-issuance incidents arose out of a misinterpretation we made of CA/Browser Forum compliance requirements. In our attempt to resolve this issue, our changes created additional non-security related mis-issuances. In our attempt to provide additional flexibility to our customers, we provided extensions and delays in revocations that were not supported by the CA/Browser Forum Requirements, which mandate five-day revocation for all certificate mis-issuances. This created an environment in which the community scrutinized past Entrust incidents. This identified past Entrust commitments, which if fully implemented, could have helped to prevent these incidents. We agree that there are opportunities for us to improve, and we have completed a thorough assessment of our CA operation in the last few months," he wrote.

"As a result of this assessment, we made changes in our organization, processes, and policies. For example, we have moved the CA product compliance team into our global compliance and operations teams to fully leverage the more robust capabilities of this larger organization. We have instituted a cross-functional change control board and a technical change review board to catch similar issues in the future. We are accelerating R&D for TLS certificate compliance and automation-related work while also improving the tracking of our public commitments and revising our public incident response practices to ensure such issues do not occur again," Wilkinson wrote.

Impact On Enterprises

As of Nov. 1, Chrome version 127 and later will stop trusting new TLS server authentication certificates from Entrust or AffirmTrust (which was acquired by Entrust from Trend Micro in 2016) across Windows, Linux and MacOS devices, as well as on smartphones. Those Chrome users visiting sites running Entrust certificates will receive a warning about the site being invalid or insecure. SSL/TLS certification is also mandated by some regulations including PCI DSS, FISMA, and FedRAMP.

Google offered ways to find out if a website is affected:

Website operators can determine if they are affected by this issue by using the Chrome Certificate Viewer.

Use the Chrome Certificate Viewer

Navigate to a website (e.g., https://www.google.com)

Click the "Tune" icon

Click "Connection is Secure"

Click "Certificate is Valid" (the Chrome Certificate Viewer will open)

Website owner action is not required, if the "Organization (O)" field listed beneath the "Issued By" heading does not contain "Entrust" or "AffirmTrust".

Website owner action is required, if the "Organization (O)" field listed beneath the "Issued By" heading contains "Entrust" or "AffirmTrust".

Google's decision is about specific TLS public roots certificates. There is no impact on Entrust's private certificate offerings, including its PKI, PKI as a Service, and managed PKI. This action also does not impact its code signing, document signing, or other products.

CA Migration Steps

AppViewX offered a series of steps for organizations that may look to migrate from Entrust certificates:

• Identify and document all certificates issued by the current CA
• Choose a new CA, setting up the necessary infrastructure, and configuring it according to organizational needs
• Issue certificates from the new CA
• Replace certificates from the old CA with those from the new CA
• Update all systems, applications, and devices to trust the new CA and its certificates
• Test thoroughly to ensure all certificates are correctly installed and recognized by systems
• Revoke the old certificates and ensuring no systems are still relying on them

"Google's decision to no longer trust Entrust TLS certificates will force organizations to move to a new CA immediately. A process that, without automation, will be very difficult and could result in lost revenue and business disruption if critical Internet applications and websites are now longer trusted. In previous cases where a CA was no longer trusted, which affected Symantec in 2018, crypto-agility and automation played a pivotal role in enabling the swift migration and mitigation of compromised certificates, and ensuring organizations remained protected and resilient," said Murali Palanisamy, chief solutions officer at AppViewX, in a statement.

Google advised website owners: "We recommend that affected website operators transition to a new publicly-trusted CA Owner as soon as reasonably possible. To avoid adverse website user impact, action must be completed before the existing certificate(s) expire if expiry is planned to take place after October 31, 2024.

While website operators could delay the impact of blocking action by choosing to collect and install a new TLS certificate issued from Entrust before Chrome's blocking action begins on November 1, 2024, website operators will inevitably need to collect and install a new TLS certificate from one of the many other CAs included in the Chrome Root Store."