In a significant move to enhance digital certificate security, Google recently announced its decision to distrust certificates issued by Entrust, a major certificate authority (CA), due to a long series of compliance incidents. Google recommends that, “affected website operators transition to a new publicly-trusted CA owner as soon as reasonably possible.” Further, to avoid adverse impacts, Google indicates, “this action must be completed before the existing certificate(s) expire if expiry is planned to take place after October 31, 2024.”
This announcement underscores the importance of maintaining robust, agile crypto practices to ensure trust in digital identities. It is crucial for Global 5000 organizations to recognize that a control plane should not be tied to any single CA, they must maintain freedom of choice in regard to CAs (CA agility) and must futureproof their organizations against certificate mis-issuance and CA errors that can result in global distrust.
Google's decision stems from Entrust's failure to comply with security and issuance protocols, leading to the mis-issuance of certificates. This incident is a stark reminder of the critical role CAs play in securing digital communications and the necessity for continuous vigilance and compliance.
If Entrust is currently your only publicly-trusted CA, it is mission-critical to swiftly establish a commercial relationship with another publicly-trusted CA. A key part of this process involves ensuring the ability to issue TLS server certificates for owned domains, which may take time due to domain validation processes. While Venafi does not endorse specific CAs, we have strong, established partnerships with GlobalSign, HID Global and SwissSign, all three of which offer outstanding compatibility with Venafi TLS Protect.
Importance of certificate authority (CA) agility in crypto agility
Crypto agility is the ability to swiftly respond to security incidents, update cryptographic practices, and maintain compliance with industry standards. As threats continue to evolve quickly and new vulnerabilities are discovered frequently, having crypto agility is essential. Certificate agility (CA agility) is a cornerstone of crypto agility, specifically referring to the ability to change out CAs quickly. This ensures that organizations can promptly switch to a different CA if their current one is compromised, fails to meet security standards, or becomes distrusted.
Large Bank Uses Venafi to Achieve Crypto-Agility; Absorbs New Acquisition Without Hiccups
CA agility allows organizations to avoid being locked into a single provider, thereby maintaining flexibility and resilience in their security posture. By building crypto agility into their security infrastructure, organizations can enhance their overall security posture and reduce the risk of digital identity compromises.
Crypto agility is not just about responding to crises but also about proactively managing the certificate lifecycle. This includes automating certificate renewals, ensuring compliance with the latest security protocols, and having a robust process for handling mis-issuances. By building Crypto agility into their security infrastructure, organizations can enhance their overall security posture and reduce the risk of digital identity compromises.
To prepare for this transition, organizations need:
- Comprehensive Visibility and Control: Gain full visibility into your certificates to understand which certificates are affected, track their status, and prioritize replacements to minimize disruptions.
- Automated Certificate Lifecycle Management: Automate the issuance, renewal, and revocation of certificates to ensure continuous compliance and reduce the risk of manual errors.
- Enhanced Security Posture: Protect your organization against the risks associated with compromised certificates by ensuring that all certificates comply with the latest industry standards and best practices.
- Seamless Integrations: Having a unified approach to certificate management ensures that your transition is smooth and that your security policies are consistently enforced across all systems.
Moving Forward
As we look to the future, it’s clear that the digital certificate landscape will continue to evolve. The shift towards shorter certificate lifespans, as discussed in our previous blogs, and the increasing focus on automation highlight the need for agile, proactive security strategies.
Google’s decision to distrust Entrust certificates serves as a stark reminder of the importance of robust certificate management. By partnering with Venafi, organizations can navigate these changes confidently, ensuring that their digital certificates remain secure and compliant.
For more information on how Venafi can help your organization manage the transition, visit Venafi’s Solutions. Stay informed about the latest developments by following our blog and updates.