Skip to main content
purple hex pattern

Are Entrust Qualified TLS Certificates affected by the recent browser decisions?

Entrust-issued QWAC PSD2 certificates are not affected as they do not rely on browser trust. Entrust-issued QWAC eIDAS certificates are affected by the browsers' decision, so browsers will not trust Entrust QWAC eIDAS certificates issued after the dates indicated as follows: 

 Entrust TLS certificates are trusted if issued prior to:Use D-Trust as CA for certificates issued after:
GoogleNovember 11, 2024November 12, 2024
MozillaNovember 30, 2024November 12, 2024

Prior to becoming a QTSP, Entrust issued QWAC certificates via a reseller agreement with D-Trust. After Nov 11, 2024 we will resume reselling QWACs through this partnership. 

We recommend consuming all Entrust QWAC eIDAS inventory in your account on or before Nov 11, 2024 if possible, as switching your inventory to DTrust certificates will require you to go through validation again, and these certificates will not appear in your ECS portal by default. For tracking purposes, you will be provided a free Foreign Certificate Management license to import each D-Trust certificate into ECS as a foreign certificate. 

We also recommend that you purchase and consume any QWAC eIDAS licenses from Entrust that you may need in the next few months on or before Nov 11, 2024, so they may be easily issued with existing validations and tracked in your ECS portal. 

For QWAC eIDAS certificates to be issued on or after Nov 12, 2024, we will be happy to supply/resell certificates from D-Trust.

Ordering and Certificate Life Cycle Processes

How will issuance work after November 11th, 2024?

  • Your existing Entrust licenses will remain valid and carry over with this new process. 
  • You can contact your account representative to place an order. 
  • Your organization and domain information will need to be reverified and a new legal agreement must be signed by the authorized signatory. 
  • The issued certificate will be delivered to the requester by Entrust.

How can I order D-Trust QWAC eIDAS TLS licenses?

Contact your Entrust Account Representative to request a quote for D-Trust QWAC eIDAS TLS licenses.

Are these subscription or unit-based licenses?

The D-Trust QWAC eIDAS TLS licenses are unit-based licenses and only valid for 12 months from the date of order fulfilment.

How can I enroll for a D-Trust QWAC eIDAS TLS Certificate?

Contact your Entrust Account Representative to place the order.

How can I reissue a D-Trust QWAC eIDAS TLS Certificate after November 11th?

D-Trust Reissues (a revoke and replace) are allowed within the first 30 days of certificate issuance, after that there will be a charge. The exception to this 30-day rule is if there is a requirement to only change the key pair but keep the contents of the certificate the same.

How can I revoke a D-Trust QWAC eIDAS TLS Certificate?

To revoke a D-Trust QWAC eIDAS TLS certificate please contact either the ECS Customer Support Team [email protected] or the ECS Verification Team [email protected] and provide the following details: 

  • Company Name 
  • Certificate FQDN 
  • Certificate Serial Number 
  • Certificate Issuer - D-Trust 
  • Action: Revoke Certificate 

If your revocation request is urgent then please follow the customer support process to log a SEV 1 case.

How will I know when a D-Trust QWAC eIDAS TLS Certificate expires?

Once issued, the D-Trust QWAC eIDAS TLS Certificate will be automatically added to your Foreign Certificate Management report in the Entrust Certificate Services (ECS) platform. You will therefore receive a renewal notification from the ECS platform before the certificate expires. Please contact your account manager to submit a renewal request.

Technical Product Details

How long is a D-Trust QWAC eIDAS TLS Certificate valid for?

The D-Trust QWAC eIDAS TLS Certificate will be offered for a period of 1 year.

What are the maximum number of SANS supported for a D-Trust QWAC eIDAS TLS Certificate?

D-Trust QWAC eIDAS TLS certificates can support up to 254 Subject Alternative Names (SANS).

What encryption method is supported for a D-Trust QWAC eIDAS TLS Certificate?

The RSA encryption method is supported for the D-Trust QWAC eIDAS TLS Certificate.

What is the minimum key size supported for a D-Trust QWAC eIDAS TLS Certificate?

A minimum RSA key size of 2048 bits will be supported for the D-Trust QWAC eIDAS TLS Certificate.

How can I obtain a test D-Trust QWAC eIDAS TLS Certificate?

You can contact your account representative to place a test order free of charge from an untrusted hierarchy.

How can I order a D-Trust QWAC eIDAS TLS Certificates in advance of November 11th?

We are targeting October 1st, 2024 to have a process in place that will enable customers to order a production or test certificate and test the issuance path: 

  • You can contact your account representative so that: 
    • You can start reverifying your organization and domains with D-Trust 
    • Sign the D-Trust legal agreement 
    • Issue D-Trust certificates, while still being able to issue certificates from Entrust 
    • Issued D-Trust certificates will be signed by the D-Trust Hierarchy

Where can I get the hierarchy for a D-Trust QWAC eIDAS TLS Certificate?

The hierarchy for a D-Trust QWAC eIDAS TLS Certificate will be included in the order fulfillment email and is available for download from the Entrust website below: 

Does D-Trust work across all browsers, devices, and countries?

D-Trust is a Qualified Trust Services Provider (QTSP) based out of Germany and founded in 1998 with extended browser ubiquity and mobile device support. D-Trust’s products have been certified according to the eIDAS standard since 2017.

Verification and Support of Certificates

How will Organization and Domain Validation take place?

Provide your organization and domain names to the ECS verification team and this information will be passed on to D-Trust to be verified along with the contact details of the authorized signatory.

Are there any changes to the Certificate Authority Authorization (CAA) records?

If your organization currently uses “entrust.net” for your CAA record, we recommend that you also add a separate CAA record for D-Trust issued certificates. Valid values are: 

  • d-trust.net 
  • d-trust.de 

Example: 

  • CAA 0 issue “d-trust.net” 
  • CAA 0 issuewild “d-trust.net” 

For more specific details about how to update your CAA records please refer to the tech note here.

How long does it take to issue a D-Trust QWAC eIDAS TLS certificate?

Please allow 1-2 weeks for the verification process to be completed. Certificates that are requested with verified information are issued instantly. Entrust will deliver a D-Trust QWAC eIDAS TLS Certificate to the requestor.

Will we now have to deal with both D-Trust and Entrust when we have certificate issues?

No. You will continue to work with Entrust as you always have for issuance, renewal, verification, and support. However, you may be contacted by D-Trust as part of the verification process.