If you have many certificates to replace or other complex technical or business requirements, please contact our team to discuss the best migration path for your organization. DigiCert offers a wide variety of trusted digital certificates, PKI services, and certificate lifecycle management.
Public TLS/SSL certificates issued from Entrust roots will not be trusted by Google Chrome if the Signed Certificate Timestamp (SCT) is dated after November 11, 2024, and by Mozilla if the SCT is dated after November 30, 2024.
We understand this incident is a business disruption for affected organizations.
As a global leader in globally trusted public and private trust solutions, we are committed to helping you maintain critical operations and ensure business continuity during the transition from Entrust—and beyond.
Our experts can help ensure you make the transition without disruption or costly outages. Reach out today.
We helped thousands navigate the Symantec distrust in 2018. Join us for an experience-backed roadmap to avoiding disruption from the Entrust distrust.
The Entrust distrust: Key takeaways for CAs and organizations
Why Compliance is the Foundation of Digital Trust
DigiCert Releases Innovative Automated Testing Tool for Digital Certificates
What is a CA's role in delivering digital trust?
What is digital trust?
Certificate management for TLS best practices
Why did Google decide to distrust Entrust roots?
When will my Entrust certificates be distrusted by Google Chrome?
Have any other browsers announced that they will distrust Entrust certificates?
When should I start replacing my current Entrust certificates?
How can I determine if we are using Entrust certificates in our environment?
Why did Google decide to distrust Entrust roots?
In their announcement of the decision, Google said:
Over the past several years, publicly disclosed incident reports highlighted a pattern of concerning behaviors by Entrust that fall short of the above expectations, and has eroded confidence in their competence, reliability, and integrity as a publicly-trusted CA Owner.
And...
Certification Authorities (CAs) serve a privileged and trusted role on the Internet that underpin encrypted connections between browsers and websites. With this tremendous responsibility comes an expectation of adhering to reasonable and consensus-driven security and compliance expectations, including those defined by the CA/Browser TLS Baseline Requirements.
Over the past six years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports. When these factors are considered in aggregate and considered against the inherent risk each publicly-trusted CA poses to the Internet ecosystem, it is our opinion that Chrome’s continued trust in Entrust is no longer justified.
When will my Entrust certificates be distrusted by Google Chrome?
Public TLS certificates issued from Entrust roots with a Signed Certificate Timestamp (SCT) dated after November 11, 2024, will not be trusted by Google Chrome after November 11, 2024. (The Chrome team originally announced the distrust would begin on November 1 but moved the date to November 12 to coincide with a release of the Chrome browser.)
Any Entrust TLS certificate with an SCT dated on or before November 11, 2024, will be valid for its term. But if you modify, rekey, or renew such a certificate, it will be distrusted.
Have any other browsers announced that they will distrust Entrust certificates?
At the end of July, Mozilla announced that they would distrust Entrust roots as of December 1. Any Entrust TLS certificate with an SCT dated on or before November 30, 2024, will be valid for its term. But if you modify, rekey, or renew such a certificate on or after December 1, it will be distrusted.
Neither Microsoft nor Apple have made announcements on the matter.
When should I start replacing my current Entrust certificates?
We recommend customers start planning their replacement strategy as soon as possible, with an accurate inventory of their certificates. This effort involves learning when each certificate will expire, assessing the risk profile of the associated service, and planning the replacement process. Contact us today to start your migration plan.
How can I determine if we are using Entrust certificates in our environment?
A variety of tools can connect to your infrastructure to scan and discover certificates in your environment. If you are an Entrust customer, look in your Entrust console for tools to help.
DigiCert customers can use DigiCert® Trust Lifecycle Manager (TLM) and DigiCert CertCentral® to evaluate their environment and identify any Entrust certificates in need of replacement. Contact us if you need help with scanning and discovery.