Google’s decision to distrust Entrust must not be seen solely from the point of CA failures and complacency. It is essential to take a broader look and understand the critical need for Crypto and CA-agility in preparing for future changes and threats.
Last week, Google announced its decision to distrust public TLS certificates from Entrust CA following a trail of non-compliance issues. Starting November 1, 2024, Google Chrome will no longer trust SSL/TLS certificates issued by Entrust or AffirmTrust. Any website or application using an Entrust certificate issued after October 31, 2024, will be treated as invalid/untrusted and will trigger security and privacy warnings on Google Chrome.
The move, undoubtedly, has sent ripples through the PKI community, given Entrust’s status as a prominent and long-standing public CA. Also, several organizations relying on Entrust now face the challenge of swiftly migrating to a new trusted public CA before the deadline (in less than four months!). Continuing to issue public TLS certificates (to secure websites) from Entrust after Nov 1, 2024 will result in security and privacy warnings which could impact an organization’s revenue and reputation.
Key Lessons to Learn from Google’s Decision
Google’s decision to distrust Entrust certificates marks yet another pivotal moment, offering essential and often overlooked lessons.
- CA Accountability: Certificate Authorities play a pivotal role in securing online communications and ensuring digital trust. Google’s decision called for better commitment and accountability among CAs towards maintaining reliability, security, and compliance.
- Avoiding CA Lock-In: Putting all your eggs in one basket is a risky strategy, as is relying on a single CA for all certificate needs. As a best practice, organizations should avoid CA lock-in and maintain the flexibility to choose from multiple CAs based on business needs. This way, even if one CA is distrusted or has a security incident, only a subset of the organization’s certificates will be affected, minimizing the overall impact.
- The Importance of Crypto-Agility: Developments and disruptions in the PKI and cryptography landscape are often sudden and unexpected. Whether it is new CA/Browser Forum mandates, 90-day certificates, CA distrust, or pending Post-Quantum Cryptography changes, organizations must be crypto-agile so they can adapt quickly and navigate these changes with minimal downtime or disruptions.
Quickly migrate from Entrust CA to a new CA of your choice
Crypto-Agility – The Path Forward
Public Certificate Authorities (CAs) play a vital role in securing the internet, and therefore are held to rigorous security and compliance standards. Regular audits such as WebTrust audits are conducted by third parties to ensure public CAs comply with the CA/Browser Forum’s baseline requirements. Even with strict mandates and audits, improper certificate issuance and certificate mis-issuance by public CAs does occur due to human error, inadequate verification processes or technical glitches.
Malicious actors can exploit mis-issued certificates to impersonate legitimate websites, carry out man-in-the-middle or phishing attacks, leading to data breaches. When improper certificate issuance is detected, the impacted certificates need to be re-issued and revoked, usually in a short timeframe, to mitigate potential security risks. This can put tremendous stress on organizations who utilize the certificates for public-facing and revenue generating websites and applications.
When problems of certificate mis-issuance and non-compliance arise, CAs are required to address the root cause and prevent their recurrence. However, if CAs become complacent and fail to fix issues in a timely manner, browsers may distrust Certificate Authorities. Non-compliance due to negligence is unacceptable, given the high-security stakes.
The CA/Browser Forum continues to work towards setting high standards and enforcing accountability for public CAs. Nonetheless, organizations that rely on CAs must ensure that they are prepared to protect against unforeseen security risks, or events like CA distrust by practicing crypto-agility.
Crypto-agility is the ability to rapidly respond to cryptographic threats and changing crypto requirements without disrupting business operations. It also encompasses CA agility – the ability to quickly switch from one CA to another and rapidly replace certificates to mitigate the risk of a compromised, distrusted, or non-compliant CA, as in the case with Entrust. Without crypto and CA-agility, detecting and responding to a CA compromise or distrust incident can be painstakingly difficult, time consuming and complex.
Ultimately, an effective certificate lifecycle management (CLM) tool can help you achieve crypto-agility. More specifically, a CA-agnostic CLM solution, such as AVX ONE CLM, helps you achieve not only crypto-agility but CA-agility as well. This arms organizations with the ability to make rapid changes across their infrastructure in minimal time, and as a best practice utilize various public and private trust CAs. Through Crypto and CA-agility, organizations can mitigate the security risks as well as avoid the heavy lifting, operational overhead and disruption associated with a CA distrust incident or other issues that may arise. AVX ONE CLM provides the visibility, automation and policy-driven control to help organizations seamlessly migrate impacted CAs certificates to a new CA of their choice.
CA Migration Checklist
If your organization is using Entrust SSL/TLS certificates, it’s crucial to act now and migrate to a new trusted Public CA right away. AVX ONE CLM provides an efficient, scalable and automated certificate lifecycle management (CLM) solution that enables crypto and CA-agility and allows you to seamlessly transition to new Certificate Authorities (CAs) in minimal time.
AVX ONE CLM also includes a powerful CA Switch feature, allowing you to quickly select impacted certificates in bulk and then automatically request, re-provision and re-install replacement certificates (from a new CA) to the same endpoints.
Here’s a high-level look at how AVX ONE CLM can help you detect and remediate after a CA compromise or distrust incident:
- Visibility:
-
- Discover and build a consolidated inventory of all certificates (public and private trust)
- From your consolidated inventory, monitor, detect and narrow in on vulnerable certificates, such as certificates from a distrusted CA
- Automation:
-
- From the list of impacted certificates – automate reissuance, replacement and revocation
- Use the AVX ONE CLM CA Switch feature to automatically re-provision and reinstall new certificates, from new CA(s) in place of impacted certificates
- *AVX ONE CLM CA-agnostic automation, allows you to re-provision new certificates from various publicly trusted CAs
- Control:
-
- Establish and automatically enforce policies around the use of approved Certificate Authorities, crypto-standards, validity periods etc.
- Support compliance and simplify audits with granular controls and audit logging
Browsers distrusting Certificate Authorities can have far-reaching implications for organizations, impacting website accessibility, user trust, and financial stability. Embracing crypto-agility, diversifying CAs, implementing robust security practices, and monitoring CA performance can help mitigate the associated risks and ensure the continued security and reliability of online communications.
Want to know more about how to build and practice crypto-agility? Explore the AppViewX Crypto-Agility Solution built to help you prepare for changes like CA distrust incidents, 90-day certificates and PQC.
Need help with migrating your certificates from Entrust to a new trusted public CA? Talk to an expert!