Switch to DigiCert
Web Security

Move to DigiCert for TLS/SSL trusted by Google, Mozilla, and Apple to keep your visitors safe after Entrust’s root distrust from new certificate issuance.

Start your migration
Switch to DigiCert web security
CONTACT US

Why were Entrust Roots Distrusted from New Issuance?

Google Chrome and Mozilla Firefox chose to distrust new issuance of Entrust certificates from Entrust roots, after Entrust failed to meet browser standards. Browsers like Google and Mozilla do not arbitrarily distrust CA roots. A CA must typically exhibit a sustained pattern of compliance failures over time. Google and Mozilla documented a number of issues that went unresolved by Entrust over several years. As a result of these compliance failures, Google has distrusted certain configurations of Entrust TLS/SSL certificates with a Signed Certificate Timestamp (SCT) issued after November 11, 2024. Apple and Mozilla followed suit and distrusted Entrust certificates with a SCT issued after November 15, 2024 and November 30, 2024 respectively.

Need to Purchase a Small Number of
Replacement Certificates?

Buy trusted TLS/SSL in our online store >

What do I Need to do if I Use Entrust Certificates?

If your organization uses affected Entrust public TLS/SSL certificates to protect your web properties, you’ll want to migrate to a new CA to issue certificates that are trusted by Google, Apple, and Mozilla before your existing Entrust certificates expire. If your sites are not secured by a trusted CA after the distrust dates, visitors will see that your website has been labeled as unsecured.

Steps you Should Take to Begin Migration

Inventory your web certificates

Scan your full enterprise ecosystem to identify all Entrust certificates affected by the browser decision and catalog these certificates for revocation and replacement.

Issue trusted certificates

Configure and issue replacement certificates, so your systems that are affected will be protected prior to revocation and distrust.

Revoke affected certificates

Once you have installed replacement certificates, remove all affected certificates through the revocation process.

Automate security for all certificates

Set up automation through a certificate services and management platform to govern certificate lifecycles, reduce outages, and save time.

  

Talk to an expert

 

How DigiCert Earns your Trust

DigiCert offers a variety of trusted digital certificates, PKI services
and our modern Certificate Lifecycle Management solution, DigiCert®
Trust Lifecycle Manager.

We take our responsibility as a Certificate Authority in the root store of all major
browsers very seriously. Our entire company’s sole focus is—and has been for
more than two decades—to do everything in our power to deliver digital trust to our
customers that enables them to safely communicate, engage, and transact across
the breadth of the connected world.

 

  • Compliance for all

    DigiCert employs a proactive and data-driven approach to compliance—and we even offer our technology freely to help other organizations do the same, including our recent open-source release of PKIlint, an automated certificate linter that enables users to rapidly check certificates for errors and compliance issues.

    UP NEXT
    <   1  /  1  >
  • Global standards and governance

    Without a globally accepted body of standards, there is no core foundation for trust. We adhere to all the requirements of the CA/Browser Forum for the issuance and management of certificates.

    UP NEXT
    <   1  /  1  >
  • Public communication and collaboration

    At DigiCert, transparency is at the core of our commitment to maintaining trust and integrity in digital security. When a revocation incident occurs, we prioritize clear and prompt communication, including the cause, scope, and steps taken to address the issue. Our goal is to ensure that all stakeholders are fully informed and confident in our actions to uphold our commitment to their security and the standards by which we are governed.

    UP NEXT
    <   1  /  1  >
  • Leading by example

    We take our responsibility as a Certificate Authority in the root store of all major browsers very seriously. Our entire company’s sole focus is—and has been for more than two decades—to do everything in our power to deliver digital trust to our customers.

    UP NEXT
    <   1  /  1  >

Need Help Building a Trusted Migration Plan?

Our trust solutions team can help ensure you make the transition without
disruption or costly outages. Get in touch today.

 

By supplying my personal information and clicking submit, I agree to receive communications about DigiCert products and services, and I agree to DigiCert and its affiliates processing my data in accordance with DigiCert's Privacy Policy.

FAQ

How can I know if I have been affected by the distrust? 

If you have been affected, users of the current version of Chrome will get errors attempting to access your sites. If you do not know what certificates you have or who issued them, you should perform an inventory of your cryptographic assets. A variety of tools can connect to your infrastructure to scan and discover certificates in your environment. If you are an Entrust customer, look in your Entrust console for tools to help. 

DigiCert can help you create an inventory, evaluate your environment, and identify any Entrust certificates in need of replacement.  Contact us here  for a custom migration plan or for assistance using our new Entrust Discovery Connector.

If we have to migrate many servers to DigiCert certificates, is there a tool that can assist the migration?

DigiCert Trust Lifecycle Manager accommodates enterprise PKI at scale, working with your existing architecture. Trust Lifecycle Manager allows you to discover certificates issued by any TLS/SSL source, not just those from DigiCert or Entrust. We offer automation for both public and private PKI, and Trust Lifecycle Manager provides a secure workforce management platform, so you can implement role-based access controls with ease. 

How long will it take to get new certificates?

Getting new certificates is straightforward and fast, provided you are responsive. We will need to validate your domain, which takes seconds, and then validate your organization, which can be done in minutes. The entire process of getting your new certificates can be completed very quickly, in most cases. 

Organization Validation (OV) is good for two years. Once you have validated with DigiCert, you only need to complete Domain Validation (DV), which means subsequent certificate requests will be even quicker.

Why choose DigiCert over Let's Encrypt?

DigiCert offers award-winning live support, customization, and representation for easier issuance, management, and mitigation throughout the entire certificate lifecycle. DigiCert is best known for customer support and working with customers to meet all their certificate needs. Let's Encrypt serves an important purpose, but they don't provide all certificate types, a management console, live technical support, or sophisticated ancillary services such as certificate lifecycle management. You can manage all your DigiCert certificates with CertCentral or Trust Lifecycle Manager for certificates issued by other Certificate Authorities.

Do you offer competitive pricing for Entrust customers?

DigiCert is offering incentives for some customers affected by this event. Please see our online store or contact us for more details.

  • How can I know if I have been affected by the distrust?
  • If we have to migrate many servers to DigiCert certificates, is there a tool that can assist the migration?
  • How long will it take to get new certificates?
  • Why choose DigiCert over Let's Encrypt?
  • Do you offer competitive pricing for Entrust customers?

 
VIEW MORE FAQs

  • DigiCert Logo

    The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and signing solutions.