Google has announced that starting November 1, 2024, Chrome version 127 and higher will no longer trust new TLS server authentication certificates from Entrust and AffirmTrust. This decision follows a series of reported compliance failures, unfulfilled improvement commitments, and insufficient progress in addressing publicly disclosed incident reports observed over the past six years.
According to a blog post published by Google on June 27, website owners are advised to transition to a new publicly trusted Certification Authority (CA) before the deadline to avoid disruptions. Certification Authorities play a crucial role in securing encrypted connections between browsers and websites, adhering to stringent security and compliance standards. Google’s decision underscores the importance of these standards. More specifically, the Chrome Root Program Policy mandates that CA certificates must provide value that exceeds their risk.
“When these factors are considered in aggregate and against the inherent risk each publicly trusted CA poses to the Internet ecosystem, it is our opinion that Chrome’s continued trust in Entrust is no longer justified,” the blog post reads.
Background of Entrust and AffirmTrust
Entrust and AffirmTrust are established players in the field of digital security, providing critical infrastructure for secure communications over the internet. Entrust, founded in 1994, has a long history of offering identity-based security solutions, including public key infrastructure (PKI), digital certificates, and encryption technologies. The company has been a trusted certification authority (CA), ensuring the authenticity and security of digital transactions and communications. AffirmTrust, though newer, has also made significant contributions to the industry by providing a range of trusted digital certificates for securing online interactions. Both companies have played pivotal roles in enabling encrypted connections and ensuring data integrity and privacy across the web. However, recent compliance issues and security lapses have led to a reassessment of their roles as trusted entities in the digital ecosystem, culminating in Google’s decision to phase out trust in their certificates.
Impact on Website Operators
As a result of this update, after November 1, Chrome users visiting websites with certificates issued by Entrust or AffirmTrust will encounter security warnings. Website operators are encouraged to review their certificates and transition to a different CA to prevent service interruptions. This change will apply to Chrome on multiple platforms, including Windows, macOS, ChromeOS, Android, and Linux.
“The Entrust news is a sharp reminder of why it is so important for CAs to take their role as stewards of public trust very seriously. CAs have to hold themselves to the highest of standards, not only for the sake of their business but for all the people and businesses that depend on them,” commented Tim Callan, chief experience officer at Sectigo, an Arizona-based provider of certificate lifecycle management (CLM) solutions.
Background of the Decision
Over the past several years, publicly disclosed incident reports highlighted a pattern of concerning behaviors by Entrust that fall short of Google’s expectations. These behaviors have eroded confidence in their competence, reliability, and integrity as a publicly trusted CA owner. In response to these concerns and to preserve the integrity of the Web PKI ecosystem, Chrome will take definitive action.
Technical Details
TLS server authentication certificates validating to the following Entrust roots whose earliest Signed Certificate Timestamp (SCT) is dated after October 31, 2024, will no longer be trusted by default:
- CN=Entrust Root Certification Authority – EC1, O=Entrust, Inc., C=US
- CN=Entrust Root Certification Authority – G2, O=Entrust, Inc., C=US
- CN=Entrust.net Certification Authority (2048), O=Entrust.net Limited
- CN=Entrust Root Certification Authority, O=Entrust, Inc., C=US
- CN=Entrust Root Certification Authority – G4, O=Entrust, Inc., C=US
- CN=AffirmTrust Commercial, O=AffirmTrust, C=US
- CN=AffirmTrust Networking, O=AffirmTrust, C=US
- CN=AffirmTrust Premium, O=AffirmTrust, C=US
- CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US
Certificates validating to these roots with SCTs on or before October 31, 2024, will be unaffected by this change. This approach attempts to minimize disruption to existing subscribers by using a recently announced Chrome feature to remove default trust based on the SCTs in certificates.
Actions for Website Operators
Website operators are strongly encouraged to transition to a new publicly trusted CA as soon as possible to avoid disruptions. Delaying action could result in service interruptions if certificates expire after October 31, 2024. While website operators could delay the impact by obtaining new TLS certificates from Entrust before November 1, 2024, this is only a temporary solution. Ultimately, they will need to secure certificates from other CAs included in the Chrome Root Store.
To determine if their website is affected, operators can use the Chrome Certificate Viewer. If the “Organization (O)” field under the “Issued By” heading contains “Entrust” or “AffirmTrust”, action is required.
Enterprise Considerations
For internal enterprise networks using Entrust certificates, administrators can override Chrome Root Store constraints by installing the corresponding root CA certificate as a locally trusted root on the platform Chrome is running. This ensures continued trust within enterprise environments.
Testing the Changes
Administrators and power users can simulate the effect of the SCTNotAfter distrust constraint by using a command-line flag in Chrome 128. This allows them to evaluate the impact of the changes before they take effect.
Industry Implications
The move by Google highlights the critical role CAs play in maintaining internet security. With the advent of a 90-day certificate lifecycle and the implications of quantum computing on the horizon, it is more important than ever for CAs and CLM providers to adhere to the highest standards and fully comply with CA/Browser Forum rules and baseline requirements.
Conclusion
Google’s decision to block Entrust certificates underscores the importance of maintaining high standards in the certification process. Website operators must act promptly to transition to new CAs to avoid disruptions. The integrity of the web ecosystem relies on the stringent adherence to security and compliance standards by all CAs.