Google has announced that starting November 1, 2024, it will no longer rely on certifications from Entrust, a leading certification authority.
The change, which will affect Chrome browsers starting with version 127, comes after what Google describes as Entrust’s long-term failure to adhere to compliance standards and address security issues.
Google’s decision follows a series of incident reports that have negatively impacted confidence in Entrust’s ability to serve as a trusted certificate authority.
Google will stop Entrust support from November
The Chrome Security Team wrote in a blog post: “Over the past several years, publicly released incident reports have revealed a pattern of concerning behavior by Entrust that has fallen short of the above expectations and has undermined confidence in their competence, reliability, and integrity as a publicly trusted CA owner.”
After November 1, TLS server authentication certificates validated with Entrust or AffirmTrust roots will not be trusted by default, but Chrome users will still have the option to manually trust these certificates if they want to retain existing functionality, although this poses an implicit risk with entails.
Google isn’t the only company expressing its displeasure, as Mozilla also documented Entrust’s certificate issues a few weeks ago.
Website operators using Entrust certificates must migrate to a new certificate authority before the November cutoff date to avoid disruption.
The Chrome Security team added: “Over the past six years, we have observed a pattern of compliance gaps, unmet improvement commitments, and a lack of tangible, measurable progress in response to publicly released incident reports.”
Google has confirmed that the change will go into effect with Chrome 127 on Windows, macOS, ChromeOS, Android, and Linux, but Apple’s policy “prevents the Chrome Certificate Verifier and associated Chrome Root Store from being used on Chrome for iOS.”
An Entrust spokesperson (via The register) commented on Google’s decision: “The Chrome Root Program’s decision is a disappointment to us as long-time members of the CA/B Forum community. We are committed to the public TLS certificate business and are working on plans to ensure continuity offer to our customers.”