Google has announced that it will stop trusting certifications from Entrust, a major certificate authority, as of November 1, 2024.
The change, which will affect Chrome browsers from version 127 onwards, arises from what Google describes as Entrust's long-standing failure to meet compliance standards and address security issues.
Google's decision follows a series of incident reports that have negatively impacted confidence in Entrust's ability to act as a trusted certification authority.
Google will stop supporting Entrust starting in November
The Chrome Security Team wrote in a blog post: “Over the past several years, publicly disclosed incident reports have highlighted a pattern of troubling behavior by Entrust that has failed to meet previous expectations and has eroded confidence in its competence, reliability, and integrity as a publicly trusted CA owner.”
Starting November 1, Entrust or AffirmTrust root-validated TLS server authentication certificates will not be trusted by default; however, Chrome users will still have the option to manually trust these certificates if they wish to maintain existing functionality, albeit at some risk.
Google isn't the only company expressing dissatisfaction, Mozilla also documented Entrust's certificate issues several weeks ago.
Website operators using Entrust certificates must transition to a new certification authority by the November deadline to avoid disruptions.
The Chrome security team added: “Over the past six years, we have observed a pattern of compliance failures, broken improvement commitments, and a lack of tangible, measurable progress in response to publicly disclosed incident reports.”
Google confirmed that the change will go into effect with Chrome 127 on Windows, macOS, ChromeOS, Android, and Linux; however, Apple's policies “prevent Chrome Certificate Verifier and the corresponding Chrome Root Store from being used in Chrome for iOS.”
An Entrust spokesperson (via Register) commented on Google’s decision: “The Chrome Root Program decision is a disappointment to us as a long-time member of the CA/B Forum community. We are committed to the public TLS certificate business and are working on plans to provide continuity for our customers.”
