Google, Mozilla, and Apple have all decided to stop trusting Entrust’s publicly issued certificates after specific cutoff dates, due to long-standing compliance issues.
Why the Distrust?
Browsers depend on Certificate Authorities (CAs) to uphold stringent security and industry standards. Entrust repeatedly failed to comply—examples include delay in revoking misissued certificates, poor incident reporting, and administrative errors. This pattern of “compliance failures” led browsers to lose confidence in Entrust’s ability to act responsibly and transparently.
| Organization | Affected Certificates | Cutoff Date | Notes |
|---|---|---|---|
| Google Chrome | TLS certificates with Signed Certificate Timestamp (SCT) post-issue date | November 11, 2024 | Entrust roots not trusted in Chrome Root Program for certs issued after Oct 31, 2024 (Entrust, DigiCert, The Wall Street Journal, Cloudflare Docs, The Cloudflare Blog, Enterprise Security Tech) |
| Apple (Safari and Root Store) | TLS, S/MIME, Timestamping, VMCs issued after specific date | November 15, 2024 | Doesn’t affect certs issued on or before that date; broader certificate types impacted (Entrust, DigiCert) |
| Mozilla Firefox | TLS certificates via Entrust roots | November 30, 2024 | Distrust due to repeated compliance issues and insufficient corrective action (Google Groups, Encryption Consulting, DigiCert, Wikipedia) |
What This Means for Users
-
Old Entrust Certificates Still Valid – Certificates issued on or before the cutoff dates will remain trusted until their natural expiry.
-
New Entrust Certificates Likely to Fail – Certificates issued after the specified cutoff dates will trigger browser warnings or outright blockage.
For example:
-
Chrome rejects SCT-dated Entrust certificates after Nov 11, 2024.
-
Apple’s platforms (like Safari) reject Entrust TLS/S‑MIME certs issued after Nov 15, 2024.
-
Firefox stops trusting Entrust-issued TLS certs from Nov 30, 2024.
Entrust’s Reaction & Alternatives
Entrust publicly announced that certificates issued prior to the cutoff remain valid, and they’re working on fixing their internal processes—such as adding linting tools, establishing a change control board, and bolstering audit transparency.
Meanwhile, they’ve partnered with SSL.com to issue new certificates on Entrust’s behalf—that still rely on SSL.com roots to maintain browser trust. Cloudflare even enabled SSL.com certificates to ease migration.
--> Certificates issued before 31/10/2024 will remain valid. Certificate issued after 31/10/2024 will be no longer trusted by Google.
--> "Entrust made no moves to revoke or replace the affected certificates."
Summary
Google, Mozilla, and Apple have withdrawn trust in Entrust’s public roots, but each did so at slightly different times and with varying scopes:
-
Chrome/Google — bye to Entrust-issued TLS certs after Nov 11, 2024.
-
Apple/Safari — blocks wider certificate types (TLS, S/MIME, VMCs) after Nov 15, 2024.
-
Firefox/Mozilla — distrust kicks in end-Nov 2024.
Entrust’s existing certificates issued before those dates remain valid. For new issuance, organizations should migrate to trusted alternatives—like SSL.com or DigiCert—to avoid browser compatibility issues.
No comments:
Post a Comment