Google Announces To Block CA Certificates Issued By Entrust And AffirmTrust In Chrome Starting From 1 November, 2024
Surprised to read the above headline? Well, Google’s announcement did come as a shock for many Chrome users. According to the official blog post, from November 1, Google will be blocking CA certificates (SSL) issued by Entrust and AffirmTrust (acquired by Entrust in 2016) on the grounds of prioritizing the security and privacy of Chrome users.
Reason Behind This Decision By Google
As per Google’s statement, “Chrome Root Program Policy states that CA certificates included in the Chrome Root Store must provide value to Chrome end users that exceed the risk of their continued inclusion.” Also if things don’t go right, Google expects CA Owners to commit to meaningful and demonstrable change resulting in evidenced continuous improvement.
Google mentioned that over several years, there were publicly disclosed incident reports that highlighted a pattern of concerning behaviors by Entrust that fall short of above expectations and have eroded confidence in their competence, reliability, and integrity as a publicly trusted CA owner. In response to these concerns and to preserve the integrity of the Web PKI ecosystem, Chrome is taking the action of blocking the certificates issued by Entrust.
On June 21 in a Certification Authority Browser Forum post, Bhagwat Swaroop, Entrust president of digital security solutions, stated, “As a global CA we must walk a tightrope in balancing the requirements of the root programs and subscriber needs, especially for critical infrastructure. In some cases, we did not strike the right balance.” He also mentioned that Entrust is committed to making lasting changes both organizational and cultural, to begin to regain the trust of the root programs and the community.
Though Google now seems to have taken its decision regarding this issue. Hence, Entrust and AffirmTrust TLS server authentication certificates that were signed on or before 31 October will be unaffected by this change but the certificates dates after 31 October 2024 will no longer be trusted by default. The blocking action will occur in versions of Chrome 127 and greater on Windows, macOS, ChromeOS, Android, and Linux.
Google has advised the affected website operators to transition to a new publicly trusted CA Owner as soon as reasonably possible. While website operators could delay the impact of blocking action by choosing to collect and install a new TLS certificate issued from Entrust before Chrome’s blocking action begins on November 1, 2024, website operators will inevitably need to collect and install a new TLS certificate from one of the many other CAs included in the Chrome Root Store.