Entrust Hero Image

Google announces distrust of Entrust certificates

The recent announcement of the Google Chrome distrust of Entrust has caused significant disruption to a large number of organizations. If you need replacement certificates or certificate lifecycle automation, we’re here to help.

The Entrust distrust
webinar

What happened, what it means and what steps to take

We helped thousands navigate the Symantec distrust in 2018. Join us for an experience-backed roadmap to avoiding disruption from the Entrust distrust.

Google chrome to distrust Entrust certificates

Public TLS certificates issued from Entrust roots with a Signed Certificate Timestamp (SCT) dated after October 31, 2024 will not be trusted by Google Chrome.

  • To be trusted by a browser, a certificate authority must comply with specific requirements defined by the CA/Browser Forum.
  • To ensure trust is consistent and continuous, browsers receive regular audit reports about CA operations and compliance.
  • Transparency is the rule. CAs are expected to work in good faith with browsers to fix and prevent issues. 
  • Recently, root programs indicated a lack of confidence in TLS certificate issuance practices of Entrust.
  • Google ultimately made the decision to .

What does that mean for Entrust customers?

  • Public TLS certificates issued off of Entrust roots whose earliest SCT is after October 31, 2024 will no longer be valid on Google Chrome.
  • Those Entrust certificates will be treated as an unsecured site.
  • Any TLS certificate with an SCT dated before November 1, 2024 will be valid for its term.

We’re here to help

We understand this incident poses significant risk of business disruption to a large number of organizations.

As the world leader in globally trusted PKI and TLS/SSL solutions, we are committed to making our services and solutions available to help you maintain critical operations and ensure uninterrupted business continuity during the transition from Entrust—and beyond.

Entrust - We're here to help

What steps should you take?

We recommend that owners of Entrust certificates follow these
4 steps now to ensure continuity of business:

Inventory certificates so you know what needs to be replaced and by when

Complete validation of organization(s) and domain(s)

Start issuing certificates

Why trust ?

We take our responsibility as aCertificate Authority (CA)in the root store of all major browsers very seriously. Our entire company’s sole focus is—and has been for more than two decades—to do everything in our power to deliver digital trust to our customers that enables them to safely communicate, engage, and transact across the breadth of the connected world. 

How we earn your trust

Checklist icon

Compliance for all

employs a proactive and data-driven approach to compliance—and even offer our technology freely to help other organizations do the same, including our recent open-source release of PKIlint, an automated certificate linter that enables users to rapidly check certificates for errors and compliance issues.

Globe Icon

Global standards and governance

Without a globally accepted body of standards, there is no core foundation for trust. We adhere to all the requirements of the CA/Browser Forum for the issuance and management of certificates.

Shield Icon

Leading by example

We work closely with the CA/Browser forum and leading standards organizations. We also actively participate and lead on numerous boards and initiatives. That’s because we see active leadership as the most effective means to continuously improve the security and dependability of security technologies and embody our mission to deliver digital trust in the real world.

Need assistance navigating your migration from Entrust?

Our experts can help ensure you make the transition without disruption or costly outages. Reach out today.

By supplying my personal information and clicking submit, I agree to receive communications about products and services, and I agree to and its affiliates processing my data in accordance with 's Privacy Policy.

Related resources

BLOG

How to Prevent Problems When a Certificate is Mis-issued

BLOG

Why Compliance is the Foundation of Digital Trust

BLOG

Releases Innovative Automated Testing Tool for Digital Certificates

BLOG

What is a CA's role in delivering digital trust?

Video

What is digital trust?

Datasheet

Certificate management for TLS best practices

FAQ

When will my Entrust certificates be distrusted by Google Chrome?

When should I start replacing my current Entrust certificates?

How can I determine if we are using Entrust certificates in our environment?

How long will it take to get new certificates?

How can we trust that will not have a similar distrust problem?

When will my Entrust certificates be distrusted by Google Chrome?

Public TLS certificates issued from Entrust roots with a Signed Certificate Timestamp (SCT) dated after October 31, 2024, will not be trusted by Google Chrome after October 31, 2024.

Any TLS certificate with an SCT dated before October 31, 2024, will be valid for its term.

When should I start replacing my current Entrust certificates?

We recommend customers start planning their replacement strategy as soon as possible to get an accurate inventory of their certificates with their corresponding expiry date, assess the risk profile of the associated service, and plan the replacement process. Here are the top 4 things you should do today. (link to section on the site that says this)

How can I determine if we are using Entrust certificates in our environment?

A variety of tools can connect to your infrastructure to scan and discover certificates in your environment. Trust Lifecycle Manager (TLM) and CertCentral can evaluate your environment to identify any Entrust certificates in need of replacement. Contact us if you need help with this.

How long will it take to get new certificates?

Getting new certificates can be done very quickly; however, you will need to be responsive and quick to work with us. We will need to validate your domain, which takes seconds, and then validate your organization, which can be done in minutes. The entire process of getting your new certificates can be completed very quickly.

After this initial organization validation is done, future certificates will not need to go through this process until their validation expires—according to industry guidelines—which means subsequent certificate requests will be even quicker.

How can we trust that will not have a similar distrust problem?

There are three things that distinguish and its certificate authority business. First, we have well defined processes that we follow diligently and use tools like PKILint that we’ve developed to help mitigate issues. Second, we work closely with the CA/Browser Forum to respond to issues quickly and transparently; when issues arise, we work quickly to solve them. Finally, we are an active participant with the standards bodies, ensuring that we not only comply with standards but help evolve them for the benefit of industry.