Last week Google announced that they would no longer include Entrust root CA certificates in the Chrome Root Program. This means that the TLS certificates we issue after October 31, 2024, will no longer be trusted within the Chrome Root Store Program. We are disappointed by this decision and want to share how we intend to move forward.

We understand what led us here. We are committed to improvement. And Entrust continues to have operational capabilities to serve our customers’ public and private digital certificate needs. These capabilities extend beyond the issuing roots in question.

Our recent mis-issuance incidents arose out of a misinterpretation we made of CA/Browser Forum compliance requirements. In our attempt to resolve this issue, our changes created additional non-security related mis-issuances.

In our attempt to provide additional flexibility to our customers, we provided extensions and delays in revocations that were not supported by the CA/Browser Forum Requirements, which mandate five-day revocation for all certificate mis-issuances.

This created an environment in which the community scrutinized past Entrust incidents. This identified past Entrust commitments, which if fully implemented, could have helped to prevent these incidents. We agree that there are opportunities for us to improve, and we have completed a thorough assessment of our CA operation in the last few months.

As a result of this assessment, we made changes in our organization, processes, and policies. For example, we have moved the CA product compliance team into our global compliance and operations teams to fully leverage the more robust capabilities of this larger organization. We have instituted a cross-functional change control board and a technical change review board to catch similar issues in the future. We are accelerating R&D for TLS certificate compliance and automation-related work while also improving the tracking of our public commitments and revising our public incident response practices to ensure such issues do not occur again.

I want to assure you that we are committed to continuing to serve as a public CA and that we will complete open issues and promised improvements in a timely manner. We are working with Chrome and the other browser root programs to address the raised concerns while also providing continuity for customers while we execute these changes. We have the expertise to do this, as demonstrated by our ability to deliver our many products and solutions designed to meet demanding global compliance requirements.

Entrust has been a publicly trusted CA for over two decades and has contributed to stronger Web PKI capabilities globally. We continue to have operational capabilities to serve customers’ certificate needs today and will do so in the future. We respectfully ask for your patience as we work to ensure that you have no disruptions to the service you have come to expect from Entrust.

Find more resources in our TLS Certificate Information Center. If you have additional questions, please contact us at [email protected].