There is a lot to learn from last week’s news regarding Google’s decision to distrust Entrust for Google Chrome. Any certificate issued from Entrust root certificate authorities (CA) after October 31, 2024 will no longer be trusted by the Google Chrome browser.
According to reports, Google’s decision to part ways with Entrust’s public certificate authorities (CAs) is due to an “observed pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports.” Digital certificates have been mis-issued which has led to overall security implications. While unfortunate, Google’s response is intended to preserve the integrity of Web public key infrastructure (PKI). In today’s increasingly digital world, PKI is critical to protect the confidentiality and authenticity of communication between web browsers and web content servers. PKI is what ensures digital trust in our online world.
What does this mean for businesses?
Companies that want their public-facing websites and apps accessible by Chrome browser, which makes up about 65%+ of all Internet users, will have to plan for migration and ensure that Entrust-issued certificates nearing expiration are renewed and replaced by certificates issued from another publicly-trusted CA.
What can we learn from this decision?
There are four major lessons from Google’s recent decision to distrust Entrust.
First is the importance of CA-agility. When it comes to leveraging public CAs, there is always the risk that a CA will revoke certificates or be distrusted from web browser trust stores (this has happened several times in the past few years). To minimize this risk and prevent disruption, businesses must maintain the ability to easily add, switch, and migrate CAs, or have a multi-CA strategy.
Second is the critical need for crypto-agility. Every CA makes mistakes and web browsers are forced to make the difficult decision to revoke certificates. In fact, this has happened several times over the last year, such as Mozilla’s distrust in Entrust public CAs in May. Organizations must be able to handle revocations at scale and install new certificates in place of old ones, without disrupting business operations.
Third, businesses shouldn’t put all their eggs in one public CA’s basket. Companies should also avoid using public CAs for anything other than entities that require public trust, such as public-facing websites and applications (i.e., for a mobile app that speaks to the cloud). With private PKI, encryption within an organization’s internal servers and systems is deployed to verify the authenticity of users and devices. In this instance, private CAs are created to issue certificates and they are managed internally, reducing the risk of unauthorized access and potential compromise by external entities.
In our digital world, trust is everything and private PKI allows businesses to provide those who rely on their CAs with a higher degree of confidence.
Fourth, this situation is an early warning sign of what’s to come for post-quantum cryptography (PQC). Replacing all publicly trusted certificates from a CA is a drop in the bucket compared to what will be required to migrate to quantum-safe algorithms. This decision is a good reminder that businesses must start planning for the transition to PQC algorithms as early as possible to avoid catastrophic disruptions.
How can Keyfactor help?
In preparation of the upcoming change in Chrome, IT and security leaders should carefully evaluate their PKI and certificate landscapes. Businesses must act quickly to identify and replace affected certificates, and this is a process that cannot be done manually.
With Keyfactor Command, customers gain the visibility and automation needed to make the transition to a new CA seamlessly. Keyfactor Command gives businesses a view into all their certificates from a single dashboard, helping them to identify and remediate risks fast with a simple search-and-click engine.
Users can also leverage Keyfactor Orchestrators and pre-built plugins to automate certificate renewal, provisioning, and installation with just one click or no clicks at all. For those who leverage Entrust’s digital certificates, Keyfactor’s Command offerings provide the flexibility needed to migrate PKI and certificate management without disruption to productivity.
When it comes to preparing for PQC, businesses can leverage Keyfactor’s PQC Lab – a free, SaaS-based sandbox that enables teams to generate a PQC-ready CA and start issuing quantum-resilient certificates in minutes. The sandbox is now available in Azure.
Key takeaways for certificate management moving forward
Google’s decision to distrust Entrust is a wake-up call for organizations. Digital trust isn’t static; it’s always under threat.
To remain resilient, businesses need full visibility of all certificates, the ability to automate certificate replacement and remediation at scale, and most importantly, the flexibility to add, migrate, or switch CAs, without causing interruption.
To learn more about how Keyfactor can help your organization navigate this transition, please reach out here.