Chrome to End Trust in Entrust Certificates on November 12

Google’s Chrome security team has announced a significant shift in its browser’s approach to digital certificate trust, affecting the security and privacy of its 3.4 billion users. Originally scheduled to take effect on November 1, the change has been postponed to November 12. This adjustment means that starting on this new date, Chrome will no longer trust digital certificates issued by Entrust, one of the largest certificate authorities (CAs) globally. This move is notable because Entrust serves a wide range of clients, including major institutions such as Chase Bank, Dell, Ernst & Young, and Mastercard, as well as numerous governments worldwide.

Google’s decision to terminate trust in Entrust’s certificates stems from ongoing concerns about Entrust’s handling of security incidents. The Chrome Root Program Policy mandates that any CA certificate included in the Chrome Root Store must offer significant value to Chrome users that outweighs the risk associated with its inclusion. When CA providers fail to disclose and address security issues appropriately, Google expects them to demonstrate a commitment to substantial and proven improvements. Google’s stance on Entrust is influenced by a series of security incidents reported over the past several years. The company has noted a pattern of troubling behaviors by Entrust that fall short of the policy’s expectations. This has led to a loss of confidence in Entrust’s competence, reliability, and integrity as a trusted CA. Despite acknowledging past mistakes, Entrust has struggled to fully rectify the issues, according to Google. Entrust’s president of digital security solutions, Bhagwat Swaroop, admitted that recent incidents were mishandled, particularly regarding the communication and reporting of affected certificates.

From November 12, with the release of Chrome 131 across all major platforms including Android, ChromeOS, Linux, macOS, and Windows, Entrust-issued certificates will no longer be recognized as trusted. Users attempting to access websites with Entrust certificates will encounter a “connection not private” warning. This change is set to impact a significant number of websites that rely on Entrust for their SSL/TLS certificates. Website administrators affected by this change have several options. Google has advised impacted sites to explore continuity solutions offered by Entrust. Detailed guidance and support are available through the Certificate Information Center on Entrust’s website. While the decision affects Entrust’s server authentication certificates, it does not impact its Verified Mark Certificates, code-signing, digital signing, or private certificate offerings.

To mitigate the impact of this change, website administrators should take the following steps: review certificate validity, investigate continuity options provided by Entrust, update certificates if transitioning to a new CA, and communicate with users about potential changes. Google has also indicated that users who manually trust the affected certificates in their Chrome browsers will continue to be able to use them without interruptions. However, this is a temporary measure and does not address the broader issue of trust for all users. For those seeking further information, Google has published a comprehensive FAQ and a full listing of the impacted certificates on its website. In summary, Google’s extended deadline for Entrust certificates reflects a careful approach to ensuring browser security and user trust. As the November 12 deadline approaches, website administrators must act swiftly to adjust their certificate management strategies and maintain secure, trustworthy connections for their users.