We’re just days away from November 12, 2024—the date when Google Chrome will begin distrusting newly issued certificates from Entrust Roots. Shortly after, Mozilla will implement its distrust in Entrust Roots by the end of November. If your organization hasn’t yet switched to a reliable public Certificate Authority (CA), it’s time to do so.
This isn’t the first time we’ve seen a major public CA run into trouble. Back in 2018, when Google pulled its trust in Symantec’s certificates, many organizations were caught off guard. Websites were blocked, services were halted, and teams scrambled to replace certificates before their operations took a costly hit. The rush to move away from Symantec was more than a technical headache—it was a lesson on the value of being prepared.
Now, we’re seeing the story repeat itself with Entrust, but there’s a bigger takeaway this time: It’s not just about replacing certificates in a hurry when a CA falls out of favor. The real lesson is in having CA agility and overall crypto-agility at the core of your organization’s PKI and certificate management strategy.
When a CA distrust incident occurs, manually switching CAs and replacing impacted certificates becomes complex, time-consuming, and resource-intensive. For large organizations with extensive IT infrastructures, the challenge can feel overwhelming: tracking down every affected certificate, onboarding a new CA, provisioning new certificates, and revoking the old certificates in time.
This is where crypto and CA agility play a critical role. It ensures you have the capability to quickly switch to a new CA without the operational chaos. It helps you mitigate the security risks as well as avoid the heavy lifting, operational overhead, and disruption associated with a CA distrust incident. There are no frantic searches for impacted certificates, anxiety over downtime, or scrambling to restore compliance.
By building crypto-agility into your PKI strategy, you’re not just preparing for CA distrust incidents—you’re gearing up for emerging cryptographic threats and industry shifts such as the threat of quantum computing to current cryptography or the industry’s push toward shorter certificate lifecycles.
Build Crypto and CA Agility with AppViewX
To help you build crypto and CA agility into your PKI strategy, AppViewX offers CA-agnostic certificate lifecycle management automation.
AppViewX AVX ONE CLM is an advanced, automated certificate lifecycle management solution designed to enable CA and crypto-agility from the ground up. With industry-leading features, AVX ONE CLM combines visibility, automation, and control to simplify certificate management, enhance efficiency, reduce outages, and ensure compliance.
Quickly migrate from Entrust CA to a new CA of your choice
- Visibility: Complete visibility of all public and private trust certificates–where they are and the applications or endpoints they are tied to. A centralized inventory to continuously monitor all certificates for expiry and vulnerabilities.
- Automation: Out-of-the-box automation workflows to automate renewal, revocation, and provisioning (including the endpoint binding) of certificates from any CA across all endpoints without causing downtime.
- Control: Automated PKI policy enforcement to ensure all public and private trust certificates are valid and compliant with security policies.
When events like the Entrust distrust occur, AVX ONE CLM has a built-in safety net. It helps quickly migrate from Entrust CA to a new CA quickly and seamlessly through:
- CLM Insights – Entrust Migration Dashboard: A unique dashboard that offers a consolidated view of all your Entrust certificates in one place, making it easy to plan and execute your migration to a new CA. You can also track your migration progress, minimizing risks and avoiding downtime.
- CA Switch Feature: As a best practice, organizations should focus on developing CA agility and implementing a multi-CA strategy. To support this, AVX ONE CLM provides CA-agnostic automation, allowing you to automate certificate provisioning, renewals and revocation across all leading public and private CAs. AVX ONE CLM also provides a powerful CA Switch feature, allowing you to quickly select impacted certificates in bulk and then automatically request, re-provision, and re-install new certificates (from a new CA) to the same endpoints within a few clicks.
The Entrust distrust incident is essentially a litmus test for organizations. It’s the perfect opportunity to take a hard look at your Certificate Lifecycle Management (CLM) processes and ask: are we really crypto-agile? For those organizations still relying on manual methods to manage certificates, it’s time to pull the plug on outdated processes. Automation isn’t just an upgrade—it’s essential for achieving crypto-agility and future-proofing security.
As we brace for even bigger challenges on the horizon, like the shift to post-quantum cryptography, crypto-agility becomes not just an advantage but a necessity. It’s the only way to get ahead and navigate the changes that are coming.
Need help with migrating your certificates from Entrust to a new trusted public CA? Talk to an expert!