Browser programs have updated the timing of when these decisions will go into effect. For details, visit https://www.entrust.com/tls-certificate-information-center
Last week, I shared my thoughts on how we intend to move forward following Google’s decision to no longer include Entrust public root CA certificates issued after October 31, 2024, in the Chrome Root Program.
We are committed to restoring trust with the browser and web community and returning to the Chrome Root Store. The best way to do that is to demonstrate the progress we’re making.
Before I do that, I want to reiterate that Entrust continues to have operational capabilities to serve our customers' public digital certificate needs now and in the future.
Moreover, I want to clarify that Entrust TLS certificates issued prior to October 31, 2024, will be valid and trusted by Chrome for their natural lifecycle duration. We will share additional details on our continuity plans beyond that in the coming weeks. Our privately rooted solutions, including PKIaaS and managed PKI, and our digital signature solutions are not impacted by Google’s decision.
We have been working urgently on our improvement plans. Here’s a rundown on key developments:
- Established a certificate change control board and process. This cross-functional board now oversees and approves any changes to our certificate issuance and management systems. We will measure effectiveness based on reduction in incidents, faster incident response and reporting times, and improved quarterly audit results.
- Expanding linter use. We are increasing automation to help ensure compliant certificate issuance, which includes expanding use of linter tools to check certificate compliance both pre- and post-issuance in addition to manual and cross-functional reviews. We have used ZLint for pre- and post-issuance linting since 2019. We added pkilint for post-issuance in April 2024 and are adding it for pre-certificate issuance at the end of July.
- Engaging customers. We contacted all of our TLS customers and have met individually with the vast majority of our largest customers. These have been direct, transparent discussions about continuity options, improvement strategy, and the CA/Browser Forum requirements related to our incidents. These conversations ensure that everyone understands the five-day revocation rule.
- Offering automation to customers. Interest in automation solutions is rising. We have offered customers one year free of our Certificate Hub certificate lifecycle management solution, and information on open-source tools such as ACME. Some customers have noted challenges with ACME for their environments and we will look to address this with them.
- Engaged External Advisor to Drive Improvement. To underscore our commitment to improvement and meeting community expectations, we have retained Ryan Hurst as an advisor. Ryan will help us assess our practices, communication, and deployment relative to industry standards. Ryan is a recognized industry expert in cryptography and trust services who has built many products in this space, previously ran the Microsoft root program, created and managed several publicly trusted CAs, and advised others. He is also an established voice in the community, which will help us better understand how best to engage in these forums.
- Added Significant Product Management Talent and Expertise. As we redefine and execute on our TLS improvement plan, we have added deep domain expertise by naming Michael Klieman as Vice President of Global Product Management for Digital Security Solutions. Michael brings experience in cybersecurity and digital identity from his work at Symantec/DigiCert, MobileIron/Ivanti, Sophos, and OneSpan. In particular, he has deep experience in the TLS/SSL market and in compliance, certificate lifecycle management, and PKI. Michael started on July 1 and will be invaluable in defining our DSS product strategy and roadmap moving forward.
We are committed to being a publicly trusted CA and having a positive impact on the Web PKI. We respectfully request your continued patience and support as we work through these recent issues. I will provide you with regular, ongoing updates here and on our TLS certificate information center.