Google Chrome to Block Entrust Certificates Starting November 2024

In a significant move to bolster online security, Google has announced that its Chrome browser will begin blocking websites using certificates from Entrust starting November 1, 2024. This decision stems from Entrust’s compliance failures and its inability to address security issues promptly.

“Over the past several years, publicly disclosed incident reports highlighted a pattern of concerning behaviors by Entrust that fall short of the above expectations, and has eroded confidence in their competence, reliability, and integrity as a publicly-trusted [certificate authority] owner,” Google’s Chrome security team stated.

Implications for Chrome Users and Enterprise Customers

Starting with Chrome version 127, TLS server authentication certificates from Entrust will no longer be trusted by default. However, Chrome users and enterprise customers will have the option to override these settings if necessary.

Google emphasized the crucial role of certificate authorities (CAs) in maintaining encrypted connections between browsers and websites. The tech giant expressed concerns over Entrust’s lack of progress regarding publicly disclosed incident reports and unmet improvement commitments, which pose risks to the broader internet ecosystem.

The blocking action will impact Chrome on various platforms, including Windows, macOS, ChromeOS, Android, and Linux. However, Chrome for iOS and iPadOS will be exempt due to Apple’s policies, which do not allow the Chrome Root Store to be used.

Users who attempt to access websites with certificates issued by Entrust or AffirmTrust after the deadline will encounter an interstitial warning message indicating that their connection is not secure and private.

Urgent Call for Affected Website Operators

Website operators using Entrust certificates are urged to transition to a different publicly-trusted CA by October 31, 2024, to avoid disruptions. Entrust’s website lists major clients such as Microsoft, Mastercard, VISA, and VMware, who will need to address this transition promptly.

“While website operators could delay the impact of blocking action by choosing to collect and install a new TLS certificate issued from Entrust before Chrome’s blocking action begins on November 1, 2024, website operators will inevitably need to collect and install a new TLS certificate from one of the many other CAs included in the Chrome Root Store,” Google advised.

Industry Reactions

The announcement has sparked various reactions from industry experts, highlighting the importance of maintaining high standards in certificate management and the need for proactive measures.

Tim Callan, Chief Experience Officer at Sectigo, remarked, “The Entrust news is a sharp reminder of why it is so important for Certificate Authorities (CAs) to take their role as stewards of public trust very seriously. CAs have to hold themselves to the highest of standards, not only for the sake of their business but for all the people and businesses that depend on them.”

Murali Palanisamy, Chief Solutions Officer at AppViewX, underscored the potential disruption for large organizations: “With news coming out that Google Chrome will no longer trust TLS certificates from Entrust starting November 1, 2024, organizations will need to start preparing now for this massive disruption. Based on our research, more than 20 percent of Fortune 1000 companies use Entrust as a Certificate Authority (CA).”

Tomas Gustavsson, Chief PKI Officer at Keyfactor, highlighted the broader implications and the need for crypto-agility: “Google’s decision to no longer trust Entrust Root Certificate Authorities (CAs) in the Chrome browser will inevitably create many downstream effects on the system of trust that we rely on to do business online. It highlights the need for organizations to embrace CA and crypto-agility. Even the best CAs can and have fallen victim to human error.”

Preparing for the Transition

As the deadline approaches, IT and security leaders are advised to carefully evaluate their Public Key Infrastructure (PKI) and certificate landscape. Businesses must act swiftly to identify and replace affected certificates, a task that cannot be effectively managed manually.

“While unfortunate, businesses will need to act quickly to identify and replace affected certificates, and this cannot be done manually. It is a wake-up call for organizations that digital trust isn’t static, it’s always under threat,” Gustavsson added.

The transition away from Entrust certificates represents a critical juncture for many businesses. Ensuring continuity and security in the digital realm necessitates full visibility of all certificates, automated management processes, and the agility to switch CAs seamlessly, thereby maintaining trust and security in online operations.