Google has announced that it will cease to trust certifications from Entrust, a prominent certificate authority, starting November 1, 2024.
The change, which will affect Chrome browsers from version 127 onward, stems from what Google describes as Entrust’s prolonged failure to adhere to compliance standards and address security issues.
Google’s decision follows a series of incident reports that have negatively impacted confidence in Entrust’s ability to serve as a reliable certificate authority.
Google will drop Entrust support from November
The Chrome Security Team wrote in a blog post: “Over the past several years, publicly disclosed incident reports highlighted a pattern of concerning behaviors by Entrust that fall short of the above expectations, and has eroded confidence in their competence, reliability, and integrity as a publicly-trusted CA Owner.”
Post-November 1, TLS server authentication certificates validated to Entrust or AffirmTrust roots will not be trusted by default, however Chrome users will still have the option to manually trust these certificates if they wish to maintain existing functionalities, though at an implied risk.
Google isn’t the only company expressing dissatisfaction, with Mozilla also documenting Entrust’s certificate issues several weeks ago.
Website operators using Entrust certificates must transition to a new certificate authority before the November cutoff in order to avoid disruptions.
The Chrome Security Team added: “Over the past six years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports.”
Google confirmed that the change will come into effect with Chrome 127 on Windows, macOS, ChromeOS, Android, and Linux, however Apple policies “prevent the Chrome Certificate Verifier and corresponding Chrome Root Store from being used on Chrome for iOS.”
An Entrust spokesperson (via The Register) commented on Google’s decision: “The decision by the Chrome Root Program comes as a disappointment to us as a long-term member of the CA/B Forum community. We are committed to the public TLS certificate business and are working on plans to provide continuity to our customers.”