In September 2024, Google and Mozilla announced that they would no longer trust SSL/TLS certificates issued by Entrust after November 12, 2024. This decision has significant implications for organizations relying on Entrust for digital security, particularly in the United States. The move underscores the importance of certificate lifecycle management and the need for proactive migration strategies to maintain secure, trusted web connections. This article provides a detailed guide for migrating away from Entrust and highlights best practices for certificate installation, emphasizing automation, compliance, and integration.
Understanding the Entrust Situation
Entrust was once a widely trusted Certificate Authority (CA) responsible for issuing SSL/TLS certificates used to secure web traffic. However, recent disclosures have highlighted recurring issues with Entrust’s compliance and operational practices. According to Google’s security team, public reports have revealed “a pattern of concerning behaviors” by Entrust that fall short of expected standards. This has led to a loss of confidence in Entrust’s ability to uphold the trust model required for secure digital communications.
Mozilla and Google have announced that they will no longer trust Entrust-issued certificates by default in their browsers. While certificates issued before November 12, 2024, will remain valid, those issued afterward will be flagged as untrusted. This change affects organizations that depend on Entrust for secure web hosting, API communications, or internal infrastructure. The transition requires immediate attention to avoid service disruptions or security vulnerabilities.
Preparing for Migration
Organizations currently using Entrust certificates must begin the migration process as soon as possible. The first step in this process is to evaluate the current certificate inventory. This involves identifying all Entrust-issued certificates, including their expiration dates, associated domains, and deployment locations. This inventory is essential for planning a smooth migration and minimizing the risk of outages.
Certificate discovery is a critical part of certificate lifecycle management. Without visibility into the full certificate landscape, organizations risk missing certificates that require immediate replacement. Once the inventory is complete, organizations can begin planning the migration to a trusted alternative CA.
Choosing a New Certificate Authority
Selecting a new CA is a strategic decision that should align with organizational needs in terms of security, automation, and integration. The new CA should have a strong track record of compliance with industry standards such as the CA/Browser Forum guidelines. Additionally, organizations should consider the CA’s automation capabilities and whether it offers a centralized platform for certificate lifecycle management.
Automation is a key factor in managing digital certificates at scale. A robust certificate lifecycle management (CLM) platform can help reduce manual effort, prevent certificate expirations, and ensure continuous compliance. Some CAs offer integrations with DevOps tools and existing infrastructure, making the transition smoother for organizations with complex environments.
Steps for Migrating from Entrust
Migrating from Entrust involves a series of well-defined steps to ensure that the transition is seamless and secure. Below is an overview of the key steps recommended for a successful migration:
Step 1: Evaluate Your Current Situation
Begin by identifying all Entrust-issued certificates in use. This includes reviewing certificate expiration dates and deployment locations. Organizations should also assess their current certificate management practices to determine areas for improvement.
Step 2: Choose a New CA
Select a CA that offers strong security practices, automation, and compatibility with existing infrastructure. Consider factors such as the CA’s compliance record, integration capabilities, and customer support. A CA-agnostic platform such as Sectigo can provide flexibility for organizations with multi-vendor requirements.
Step 3: Generate Certificate Signing Requests (CSRs)
For each certificate that needs to be replaced, generate a new Certificate Signing Request (CSR). This process involves creating a public-private key pair and providing accurate information such as the organization’s legal name, Fully Qualified Domain Name (FQDN), and geographic location. The CSR forms the basis of the new certificate and is essential for establishing digital trust.
Step 4: Install New Certificates
After receiving the new certificates from the selected CA, proceed with the installation process. The exact steps will depend on the type of server or application being used. In some cases, this may involve uploading certificate files, editing configuration files, or importing and binding certificates within a management console. It is important to verify that the certificates are correctly installed and functioning as intended.
Step 5: Monitor and Manage
Once the new certificates are in place, implement a system for ongoing monitoring and management. This includes tracking certificate expiration dates, verifying that certificates remain trusted by major browsers, and ensuring that any changes to the certificate inventory are promptly addressed. Automated certificate management tools can help reduce the risk of human error and improve operational efficiency.
Best Practices for Certificate Installation
Proper certificate installation is essential for maintaining secure and trusted connections. The following best practices should be followed to ensure a smooth and effective transition:
Ensure Accurate Information
When generating a CSR, it is important to provide accurate and up-to-date information. This includes the organization’s legal name, FQDN, and geographic location. Inaccurate information can lead to certificate validation issues and compromise the trust model.
Verify Key Pair Generation
The CSR generation process creates a public-private key pair. The private key must be securely stored and protected from unauthorized access. Any compromise of the private key can result in a loss of trust and potential security breaches.
Test Certificate Functionality
After installation, test the certificate to ensure that it is functioning correctly. This can be done by accessing the associated domain through a browser and verifying that the connection is secure and trusted. Automated testing tools can also be used to monitor certificate status and detect potential issues.
Maintain an Updated Inventory
Maintaining an updated certificate inventory is crucial for effective certificate lifecycle management. This includes tracking the location, expiration date, and status of each certificate. A centralized certificate management platform can help streamline this process and reduce the risk of certificate-related outages.
Security and Compliance Considerations
Security and compliance should be central to any certificate management strategy. Organizations should review the policies and practices of their chosen CA to ensure that they align with industry standards and regulatory requirements. This includes evaluating the CA’s cryptographic practices, incident response procedures, and compliance with the CA/Browser Forum guidelines.
Compliance with industry standards is essential for maintaining trust and avoiding potential legal or regulatory issues. Organizations should also ensure that their certificate management practices are aligned with internal security policies and governance frameworks.
Conclusion
The decision by Google and Mozilla to no longer trust Entrust-issued certificates highlights the importance of proactive certificate management and the need for organizations to migrate to trusted alternatives. By following a structured migration process and implementing best practices for certificate installation, organizations can ensure that their digital connections remain secure and trusted.
Choosing a new CA with strong security practices, automation capabilities, and integration options is essential for a smooth transition. Additionally, organizations should prioritize certificate discovery, monitoring, and management to prevent outages and maintain compliance with industry standards.
For U.S.-based organizations, the transition away from Entrust represents an opportunity to strengthen their digital security posture and establish long-term trust with users and partners.