In a significant move to enhance digital certificate security, Google recently announced its decision to distrust certificates issued by Entrust, a major certificate authority (CA), due to a long series of compliance incidents. Google recommends that, “affected website operators transition to a new publicly-trusted CA owner as soon as reasonably possible.” Further, to avoid adverse impacts, Google indicates, “this action must be completed before the existing certificate(s) expire if expiry is planned to take place after October 31, 2024.”
Customers of Venafi are in a fortunate position. If you have already implemented Venafi TLS Protect Cloud or self-hosted Trust Protection Platform (TPP), responding to this event will be a straightforward process that can be implemented with little impact to the services and systems that are using Entrust’s public certificate services today. However, action is absolutely required ahead of the October 31st deadline imposed by Google.
Step 1: Understand the impact to your organization
If you are currently using Entrust to issue publicly-trusted TLS server certificates, you are impacted by this, and your organization will need to take action quickly. You can use Venafi TLS Protect and/or Venafi Trust Protection Platform to generate a report showing if you are currently issuing certificates from Entrust or have in the past.
From Google’s announcement, users will be presented with an untrusted certificate page when visiting any webserver that presents a certificate from Entrust that was issued after October 31st, 2024. This will prevent users from successfully navigating to your service using Google Chrome. Google’s announcement is clear to iterate, if a certificate is issued from Entrust or Affirm trust on or before October 31, 2024, those certificates will not be impacted. They will continue to work until their natural expiration date, typically one year.
This means it is not necessary to scramble to replace all Entrust or AffirmTrust issued certificates before October 31, nor would we recommend doing so. This is unnecessary and would create a large spike of certificates that expire between July and October 2025. The operational impact of a large concentration of certificates to be renewed in the same timeframe is not a problem if your organization has fully automated this process, but if there’s manual work involved, it would create an operational burden which was unnecessary to begin with.
However, there is work that must be completed prior to October 31st, 2024. The remaining steps outline what must be done.
Step 2: Select a new public certificate authority
Some organizations create and maintain accounts with multiple publicly trusted certificate authorities. For example, you may already have an account and be able to issue certificates from GlobalSign or HID Global / IdenTrust in addition to Entrust. In this case, an administrator can simply make configuration changes within their Venafi platform(s) to use the alternative CA for all new certificate requests and renewals going forward.
If Entrust is currently your only publicly-trusted CA, it is mission-critical to swiftly establish a commercial relationship with another publicly-trusted CA. This will likely be the longest step in this process. Public CAs are required to validate organizations and be able to provide assurance that an organization owns the domain for which they will be requesting certificates. This process is fundamental to maintaining the trust model for the internet. It is the reason any CA that issues publicly-trusted certificates receives a high level of scrutiny from the CA/Browser forum members like Google, Mozilla, Apple and Microsoft.
There will likely be many organizations seeking to establish new relationships with the other public CAs as a result of Google’s action against Entrust. This means that the domain and organization validation processes may take longer than normal due to the volume of requests the other CAs are receiving. Start this process to ensure it is completed before the October deadline!
Venafi’s products have compatibility and integration with many of the leading public CAs. While Venafi does not endorse any specific CA, we have strong, established partnerships with GlobalSign, HID Global / IdenTrust and SwissSign, all three of which offer outstanding compatibility with Venafi TLS Protect Cloud and Trust Protection Platform.
Step 3: Enable issuance from Venafi TLS Protect
Once a new CA has been selected, all the domains validated, and certificate issuance is enabled, your Venafi will need to be configured to issue certificates from the new certificate authority.
The exact steps to take, and the requirements for connectivity vary by certificate authority. Refer to the correct product documentation for details on configuring your CA:
- For Venafi Trust Protection Platform / TLS Protect Datacenter: https://docs.venafi.com
- For Venafi TLS Protect Cloud: https://docs.venafi.cloud
Step 4: Enable the new CA for certificate renewals and issuance
Ensure that any new certificate request, as well as any renewals of existing Entrust certificates, are handled by the new CA. Venafi’s TLS Protect products make it easy to change to a new CA at any time, without impacting existing automation that may in place and without needing to change the experience for self-service requests.
Venafi’s customer support has published and is maintaining specific guidance in knowledge-base articles to simplify this process further:
- For TLS Protect Cloud: https://support.venafi.com/hc/en-us/articles/27978896786189
- For Trust Protection Platform (TPP): https://support.venafi.com/hc/en-us/articles/27977375757709
While this announcement may be confusing and even terrifying for some organizations, Venafi is here to help, As the machine identity market leader, we have successfully navigated these events in the past for hundreds of customers and are ready to help you be successful through this transition with Entrust as well.
If you need more information, better understand the impact to your organization, or would like to review your options, please reach out to your Venafi Customer Success or Account team. We look forward to helping you ensure that this event can successfully navigated with minimal to no impact to business.