Google and Firefox to Stop Supporting Entrust SSL Certificates: What You Need to Know - Webnames Blog

Google and Firefox to Stop Supporting Entrust SSL Certificates: What You Need to Know

Posted on by Shawn Randhawa
Google and Firefox to Stop Supporting Entrust SSL Certificates: What You Need to Know

In a significant move to enhance web security, both Google and Firefox have announced that they will no longer support SSL / TLS certificates issued by the Certificate Authority (CA) Entrust. This decision is rooted in Entrust’s ongoing compliance issues and will have far-reaching impacts, especially to current users of Entrust and AffirmTrust SSL Certificates. Follow along as we dive into why this decision was made, who will be affected, and what steps Entrust SSL users need to take in light of Google and Firefox’s declaration of distrust. 

Why Google and Firefox Made the Decision to Distrust Entrust 

The primary reason behind this decision by Google, followed in due course by Firefox, is Entrust’s repeated compliance failures and unmet improvement commitments. Over the past several years, Entrust has faced multiple incidents that have undermined their reliability and trustworthiness as a Certificate Authority. These include delayed revocations and failures to meet industry security standards. Google noted a lack of tangible progress in addressing these issues, leading to a loss of confidence in Entrust’s “competence, reliability, and integrity as a publicly-trusted CA Owner”  and their ability to maintain the high security standards required of a Certificate Authority

You can read Google’s official statement about it’s decision here.

Who Will Be Impacted

The impact of this decision will be wide ranging with thousands of websites, APIs, and variety of online services that use Entrust and/or AffirmTrust certificates all affected. Users navigating to these websites and platforms will encounter security warnings beginning October 31, 2024, indicating that the connection is not secure. We advise any organizations that are using Entrust certificates to transition to new SSL Certificates by trusted Certificate Authorities well before the deadline to maintain user trust, confidence and platform security.

Webnames does not sell Entrust or AffirmTrust SSL/TLS certificates, so if your digital certificate(s) is purchased through Webnames, it will not be issued by Entrust. However, if you have multiple SSL certificates purchased from different vendors in use across your organization’s websites and platforms, we strongly encourage you to check if any of them are Entrust. 

Timeline for the Distrust Change

Google’s support for Entrust certificates will end with the release of Chrome version 127, which is expected in November 2024. Similarly, Firefox will implement this change around the same time. Certificates issued by Entrust before October 31, 2024, will remain trusted until they expire, but any certificates issued after this date will be treated as untrusted.

TLS server authentication certificates validating to the following Entrust roots whose earliest Signed Certificate Timestamp (SCT) is dated after October 31, 2024, will no longer be trusted by default.

  • Entrust Root Certification Authority – EC1
  • Entrust Root Certification Authority – G2
  • Entrust.net Certification Authority (2048)
  • Entrust Root Certification Authority (2006)
  • Entrust Root Certification Authority – G4
  • AffirmTrust Commercial
  • AffirmTrust Networking
  • AffirmTrust Premium
  • AffirmTrust Premium ECC

TLS server authentication certificates validating to the above set of roots whose earliest SCT is on or before October 31, 2024, will be unaffected by this change.

What Entrust SSL Users (and Possible Entrust Users) Need to Do Now:

  1. Identify Affected Certificates: IT professionals and website owners will need to check if their certificates are issued by Entrust and/or AffirmTrust. This can be done easily using the Chrome Certificate Viewer by following these steps:

To use the Chrome Certificate Viewer to determine if you are using an Entrust or AffirmTrust SSL simply:

Navigate to a website (e.g., https://www.webnames.ca) and click the “Tune” icon.


Click “Connection is Secure” and then click “Certificate is Valid” to open the Chrome Certificate Viewer.


Here you will find information about the CA authority and SSL being used on the website. action is not required, if the “Organization (O)” field listed beneath the “Issued By” heading does not contain “Entrust” or “AffirmTrust”.

  1. Choose a Digital Certificate by a Trusted CA: Once you have confirmed that you are using an Entrust or AffirmTrust SSL/TLS certificate, you will need to choose a new, publicly-trusted digital certificate that meets your requirements from a Certificate Authority such as DigiCert, GeoTrust, Sectigo or Thwate. All of these brands / CAs are considered reputable and have numerous DV, OV, single, multiple and wildcard SSL certificate options.

    If you need help determining which SSL / TLS certificate is right for your technical requirements, budget and brand, we can help match you with best fit options.
  1. Obtain and Install New Certificates: Purchase your new certificate(s) from Webnames or another reliable SSL vendor, generate the Certificate Signing Request (CSR) and install it on your web server. Ensure all configurations are updated to use the new certificate. If you require assistance across any stage of the purchase, configuration, verification and installation, we’re here to help.
  2. Test New Configurations: Use command-line flags in Chrome to simulate the distrust constraint and verify that the new certificates are working correctly​, or run it through an SSL Installation Checker tool. If you’re unsure about how to do this or need a hand, let our team know.

Expert Recommendation: Implement SSL Monitoring SSL certificate monitoring can be used by any organization, whether they have a single cert or one hundred, to protect against expiry, incomplete installation and other errors. The service scans a website’s SSL status multiple times daily, alterting an organization of outages and/or SSL status changes so action can be taken quickly if required.

Conclusion 

The decision by Google and Firefox to stop supporting Entrust SSL certificates underscores the importance of maintaining stringent security standards in the digital certificate ecosystem. Affected organizations should prioritize transitioning to trusted CAs as soon as possible – and well ahead of the October 31st deadline –  to ensure uninterrupted and secure web interactions for their users.

We hope that understanding the reasons behind Google and Firefox’s decision to distrust Entrust and AffirmTrust digital certificates will enable businesses and IT professionals to take proactive steps to transition to alternate, trusted CAs and continue to provide secure online experiences for their users.

For further information about this development and guidance, refer to the official announcements from Google, Mozilla’s log of Entrust issues, and recent posts from authoritative internet security blogs​ like Security Boulevard, the Register and Sectigo® Official.

Share this:
Related Posts:

Posted in:

General Security