Apple Changes Regarding Entrust Roots
Apple has posted an update that TLS, S/MIME, Timestamping, and VMC certificates issued from Entrust public roots after November 15, 2024 will no longer be supported on Apple systems. Apple has indicated that these changes are currently in beta releases and have not yet been released in production Apple operating systems. Certificates issued on or before November 15, 2024 are expected to function until the natural expiration of the certificate.
TLS Certificates
Certificates issued on or before November 15, 2024, will be accepted by Apple systems until expiry. Customers can continue to request public TLS certificates and receive certificate services directly from Entrust, with public TLS certificates issued by a CA partner that meets the requirements of Google, Mozilla, Apple, Microsoft, and the CA/Browser Forum. Visit our TLS Certificate Information Center for more details.
Secure Email (S/MIME) Certificates
This affects only email clients that rely on the Apple Root Store, including the native Apple Mail application, Safari on Apple's Operating Systems, and Outlook 365 on Mac.
When the changes go into production:
- Digitally signed emails may not be validated on email clients that rely on the Apple Root Store.
- Recipients using mail clients that rely on the Apple Root Store may face challenges in receiving encrypted emails due to the difficulty of exchanging public keys, which is required for email encryption.
- Email clients and applications that rely on root stores other than Apple’s are expected to continue to function normally.
- We have arranged with our CA partner Sectigo to replace S/MIME certificates if they do not function as expected. Please contact our support team at [email protected] to initiate this process.
Verified Mark Certificates (VMCs) for BIMI
When the changes do go into effect, email recipients using @icloud.com, @mac.com, and @me.com addresses may no longer see the verified logo.
These changes will not impact users of @gmail.com addresses or other non-Apple email domains that support VMC, or the ability of Gmail recipients to view the blue checkmark.
Sectigo S/MIME Solution FAQs
Does this affect S/MIME certificates I have purchased but not yet issued?
Apple has stated that S/MIME certificates issued from Entrust roots on or after November 15, 2024 will not be supported by email clients that rely on the Apple Root Store. Customers who require compatibility with applications that rely on the Apple Root program can get S/MIME certificates through our partnership with Sectigo.
Are there any additional fees to obtain new S/MIME certificates from Sectigo?
We have arranged with our partner Sectigo to provide you with certificates based on your current agreement with Entrust. You will not incur additional charges for this service.
Can I continue to issue Entrust certificates that I have purchased, or obtain new certificates from Entrust?
Yes. Some use cases do not require compatibility with applications that rely on the Apple root program. Entrust continues to provide S/MIME certificates and also provides an option to obtain S/MIME certificates from our CA partner Sectigo.
Where can I get more information about Sectigo S/MIME certificates?
Verified Mark Certificates (VMCs) FAQs
Can I continue to purchase VMCs from Entrust?
Yes. Once it goes into effect, Apple’s decision will affect only the ability of email recipients using @icloud.com, @mac.com, and @me.com addresses to see a verified logo and will not in any way impact email delivery.
These changes also will not impact users of @gmail.com addresses or other non-Apple email domains that support VMCs.
Will this impact the ability of email recipients to view the blue checkmark?
The VMC verified blue checkmark is a visual cue for Gmail users only. Apple does not support the blue checkmark, so Apple’s update has no impact on this.
What if I have more questions about Entrust VMCs?
Contact us at [email protected].