Google Chrome to Drop Entrust Certificates Starting November 1

In a major security shift, Google Chrome has announced that starting November 1, 2024, it will no longer trust digital certificates issued by Entrust, a prominent certificate authority used by millions of websites and major organizations worldwide. This change, disclosed on June 27, impacts 3.45 billion Chrome users and marks a significant overhaul in Chrome’s security policy.

Google’s decision to revoke trust in Entrust’s Transport Layer Security (TLS) certificates, including those from AffirmTrust (acquired by Entrust in 2016), is aimed at enhancing the security and privacy of its users. The Chrome Security Team emphasized that they could no longer accept Entrust’s certificates due to recent failures in handling security incidents. Google’s move is a direct response to what they describe as Entrust’s insufficiently rigorous response to publicly disclosed security issues, which has undermined confidence in the authority’s competence and reliability.

The new policy is part of Google’s Chrome Root Program, which was last updated in January. According to this policy, certificates must offer significant value and security benefits to Chrome users, a standard Entrust is now seen to fall short of. Google’s announcement reflects a broader concern over the integrity of encrypted connections facilitated by Entrust’s certificates.

Mozilla has also raised concerns about Entrust, leading to a detailed report from the certificate authority in response to issues flagged by Firefox users between March and May. In a report released on June 7, Entrust acknowledged the incidents were due to internal errors and promised to address these issues through improved compliance support, governance, and incident response mechanisms. Entrust committed to making significant organizational and cultural changes to restore trust.

Despite Entrust’s efforts to address the criticisms, Google’s decision seems final. An Entrust spokesperson expressed disappointment at the Chrome Root Program’s decision, noting the company’s long-standing involvement with the CA/B Forum community and its commitment to the TLS certificate business. However, they confirmed that the revocation does not affect Entrust’s Verified Mark Certificates, code-signing, or private certificate offerings.

For users of Chrome 127 and later versions on Android, ChromeOS, Linux, macOS, and Windows, certificates issued by Entrust and AffirmTrust before October 31, 2024, will remain valid until their expiration date. After November 1, these certificates will no longer be trusted, and users will encounter warnings about ‘connection not private’ when attempting to access sites using these blocked certificates. This warning indicates potential security risks, such as attempts to steal personal or financial information.

Website operators are urged to transition to a different certificate authority before the deadline. Although Google has suggested that operators might temporarily mitigate issues by installing new TLS certificates from Entrust before the November 1 cutoff, they will ultimately need to adopt certificates from other trusted CAs included in Chrome’s Root Store.

Google has advised website operators to switch to a new CA to avoid disruptions. However, users can manually trust root certificates if necessary, which allows for continued functionality even after the cutoff date. Google stated that enterprise users or those with specific configurations could override the new restrictions through Group Policy Objects on Windows, ensuring that certificates continue to work as they do today if explicit trust is established.

In summary, Google Chrome’s decision to sever ties with Entrust marks a significant shift in its approach to security. While the change aims to protect users by enhancing trust in digital certificates, it also underscores the ongoing need for vigilance and adaptability in the realm of web security.