Crypto-Agility Required to Migrate to a New Certificate Authority (CA) Seamlessly and Highlights Need for Post-Quantum Cryptography (PQC) Readiness

This week Google announced that the Google Chrome browser will no longer trust TLS certificates issued by the Entrust Certificate Authority (CA) starting November 1, 2024. Certificates issued by Entrust before October 31, 2024 will remain trusted until their expiry date. In its statement explaining the rationale behind this decision, Google emphasized the critical role Certificate Authorities play in internet security and the importance of CAs assuming responsibility and adhering to “reasonable and consensus-driven security and compliance expectations, including those defined by the CA/Browser TLS Baseline Requirements.”

In the case of Entrust, Google cited the following reasons for distrust:

“Over the past six years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports. When these factors are considered in aggregate and considered against the inherent risk each publicly-trusted CA poses to the Internet ecosystem, it is our opinion that Chrome’s continued trust in Entrust is no longer justified.”

Entrust has issued certificates without the serverAuth EKU which are unsuitable for TLS server authentication, increasing the risk of man-in-the-middle (MITM) attacks and compromising secure connections. The certificates using SHA-256 with ECC P-384 keys, against policy requiring SHA-384, create a compliance gap and potential security weaknesses. This mis-issuance can lead to reduced cryptographic strength, making it easier for attackers to exploit vulnerabilities, thereby compromising the security and integrity of encrypted communications.

Effective November 1, 2024, versions of Chrome 127 and greater on Windows, macOS, ChromeOS, Android, and Linux will cease to trust new TLS server authentication certificates from Entrust or AffirmTrust, which will be flagged as insecure. Google advises organizations to replace Entrust certificates before their expiration if they are set to expire after October 31, 2024.

What Is the Enterprise Customer Impact?

Applications and websites that continue to rely on TLS certificates issued by Entrust or AffirmTrust beyond October 31, 2024, face the risk of Google Chrome considering them untrustworthy. Therefore, users navigating to these websites and applications will be alerted to a browser warning message – “Your connection is not private.” This scenario could deal a severe blow to organizations including revenue loss, reputational harm, and non-compliance risks.

From recent research, AppViewX discovered a striking statistic: 90% of Fortune 1000 companies utilize more than 3 Certificate Authorities (CAs), with over 20 percent using Entrust. This is a significant finding in light of Google’s announcement, as it highlights the magnitude of impact Google’s directive will have on numerous organizations currently using Entrust as their CA. These organizations will now be forced to move to a new, trusted public CA immediately to avoid the adverse impact on their websites and applications.

Crypto-Agility and Automation Are Indispensable for Seamless CA Migration

Manually migrating from one Certificate Authority to another is a complex, resource-intensive process. It can involve several steps, such as:

• Identifying and documenting all certificates issued by the current CA
• Choosing a new CA, setting up the necessary infrastructure, and configuring it according to organizational needs
• Issuing certificates from the new CA
• Replacing certificates from the old CA with those from the new CA
• Updating all systems, applications, and devices to trust the new CA and its certificates
• Testing thoroughly to ensure all certificates are correctly installed and recognized by systems
• Revoking the old certificates and ensuring no systems are still relying on them

Each of these steps requires careful planning and coordination to avoid service disruptions, security issues, or compliance violations. For organizations with extensive IT infrastructure, carrying out these steps manually can be too difficult and error-prone.

Back in 2018, when Google deprecated Chrome’s trust in the Symantec certificate authority due to security concerns, organizations using Symantec-issued certificates faced significant disruptions. Websites and services reliant on these certificates experienced browser warnings or were outright blocked by Google Chrome, leading to the loss of user trust, reduced traffic, and revenue loss. This forced organizations to urgently replace their certificates with those from trusted CAs, often under tight deadlines, causing operational strain and increased costs. The incident served as a wake-up call for organizations relying on manual processes for certificate management, highlighting the importance of maintaining trust in CAs and being prepared for rapid transitions to avoid service disruptions.

In cases such as this, when a CA is distrusted, crypto-agility and automation play a pivotal role in streamlining the migration process and mitigating associated risks.

Crypto-agility has long been promoted as a best practice for managing cryptographic assets by standards bodies and industry analysts such as NIST and Gartner, but is still not widely adopted. It is the ability to keep up with cryptography advancements and rapidly respond to changing crypto requirements or threats without disrupting the rest of the infrastructure or operations. In the context of CA disruption, crypto-agility is the organization’s ability to swiftly migrate from one CA to another and mitigate the risk of compromised certificates. Given the complexity of steps involved in CA migration, it is essential that all organizations practice crypto-agility for continuous security and resiliency.

The most effective way of achieving crypto-agility is to implement automation in PKI and certificate lifecycle management (CLM). When it comes to CA migration, CLM automation can help reduce the complexity and manual effort significantly by:

• Providing complete visibility of all certificates requiring migration – where they are and the applications or endpoints they are tied to, so the PKI teams can build a clear action plan for migration
• Automating the issuance, provisioning, and renewal of new certificates across all endpoints without causing downtime
• Automating the revocation of certificates when switching from one CA to another
• A centralized CA-agnostic system to continuously monitor all certificates for expiry and vulnerabilities
• Enforcing PKI policies consistently to ensure all public and private trust certificates are valid and compliant with security policies

Migrating from Entrust to a new CA is a complex process with potential pitfalls, but automation and crypto-agility can transform this challenge into a manageable, efficient, and secure process. By automating certificate lifecycle management and practicing enterprise-wide crypto-agility, organizations can ensure a seamless CA migration with minimal disruption and maximum security. As the cryptography landscape continues to evolve with new quantum-safe algorithms and 90-day certificates, organizations should implement automation and become crypto-agile today as a best practice for maintaining a resilient security posture.

How AppViewX Can Help With Swift CA Migration

AVX ONE CLM is a ready-to-consume, scalable certificate lifecycle management (CLM) solution that automates all certificate processes end-to-end. You can discover, inventory, monitor, and automate the complete lifecycle for all public and private certificates, through a central management console. AppViewX brings together visibility, automation, and control across on-premises, multi-cloud, hybrid cloud, IoT, and containerized environments to simplify certificate lifecycle management, improve efficiency, build crypto-agility, and ensure continuous compliance.

To quickly migrate from Entrust CA to a new CA of your choice (i.e. AWS, DigiCert, GlobalSign, Google, Sectigo, and others), let AppViewX show you how. Request an AVX ONE CLM demo today.

*** This is a Security Bloggers Network syndicated blog from Blogs Archive - AppViewX authored by Muralidharan Palanisamy. Read the original post at: https://www.appviewx.com/blogs/attention-google-to-distrust-entrust-tls-certificates/