Skip to main content

Chrome will distrust CA certificates from Entrust later this year

A Certification Authority (CA) issues certificates that help guarantee you’re visiting a legitimate website. Over the years, Chrome has had to distrust some CAs, and the Google browser is about to do that again with certificates from Entrust.

Over the past six years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports. 

Google points to a list of “publicly disclosed incident reports” that highlight a “pattern of concerning behaviors by Entrust that fall short of the [Chrome Root Program Policy requirements], and has eroded confidence in their competence, reliability, and integrity as a publicly-trusted CA Owner.”

When these factors are considered in aggregate and considered against the inherent risk each publicly-trusted CA poses to the Internet ecosystem, it is our opinion that Chrome’s continued trust in Entrust is no longer justified. 

Chrome 127+ will no longer trust new TLS server authentication certificates from Entrust (or AffirmTrust) on November 1. End users will see a “Your connection is not private” warning (ERR_CERT_AUTHORITY_INVALID) when they attempt to visit such a site:

Several large websites today use Entrust, including: moneygram.com, merrilledge.com, and ey.com. You can check by clicking the “Tune” icon to the left of the URL in the address bar > Connection is secure > Certificate is valid:


  • Website owner action not required, if the “Organization (O)” field listed beneath the “Issued By” heading does not contain “Entrust” or “AffirmTrust”.
  • Website owner action is required, If the “Organization (O)” field listed beneath the “Issued By” heading contains “Entrust” or “AffirmTrust”.

Google’s recommendation to website owners is to “transition to a new publicly-trusted CA Owner as soon as reasonably possible” before November 1. Meanwhile, other Google products might take similar actions in the future.

Enterprise customers will be given the ability to continue to trust Entrust if they so choose. 

More details of Google’s roadmap and a FAQ can be found here.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Abner Li Abner Li

Editor-in-chief. Interested in the minutiae of Google and Alphabet. Tips/talk: abner@9to5g.com

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications