We’re just weeks away from November 12, 2024—the date when Google Chrome will begin distrusting newly issued certificates from Entrust Roots. Shortly after, Mozilla will implement its distrust in Entrust Roots by the end of November. If your organization hasn’t yet switched to a reliable public Certificate Authorities (CA), it’s time to do so.
This isn’t the first time we’ve seen a major public CA fall from grace. Back in 2018, when Google pulled its trust in Symantec’s certificates, many organizations were caught off guard. Websites were blocked, services were halted, and teams scrambled to replace certificates before their operations took a costly hit. The rush to move away from Symantec was more than a technical headache—it was a lesson on the value of being prepared.
Now, we’re seeing history repeat itself with Entrust, but there’s a bigger takeaway this time: It’s not just about replacing certificates in a hurry when a CA falls out of favor. The real lesson is in having CA agility and overall crypto-agility at the core of your organization’s PKI and certificate management strategy.
When a CA distrust incident occurs, manually switching CAs and replacing impacted certificates becomes complex, time-consuming, and resource-intensive. For large organizations with extensive IT infrastructures, the challenge can feel overwhelming: tracking down every affected certificate, onboarding a new CA, provisioning new certificates, and revoking the old certificates in time.
This is where crypto and CA agility play a critical role. It ensures you have the capability to quickly switch to a new CA without the operational chaos. It helps you mitigate the security risks as well as avoid the heavy lifting, operational overhead, and disruption associated with a CA distrust incident. There are no frantic searches for impacted certificates, anxiety over downtime, or scrambling to restore compliance.
By building crypto-agility into your PKI strategy, you’re not just preparing for CA distrust incidents—you’re gearing up for emerging cryptographic threats and industry shifts such as the threat of quantum computing to current cryptography or the industry’s push toward shorter certificate lifecycles.
To help you build crypto and CA agility into your PKI strategy, AppViewX offers CA-agnostic certificate lifecycle management automation.
AppViewX AVX ONE CLM is an advanced, automated certificate lifecycle management solution designed to enable CA and crypto-agility from the ground up. With industry-leading features, AVX ONE CLM combines visibility, automation, and control to simplify certificate management, enhance efficiency, reduce outages, and ensure compliance.
When events like the Entrust distrust occur, AVX ONE CLM has a built-in safety net. It helps quickly migrate from Entrust CA to a new CA quickly and seamlessly through:
The Entrust distrust incident is essentially a litmus test for organizations. It’s the perfect opportunity to take a hard look at your Certificate Lifecycle Management (CLM) processes and ask: are we really crypto-agile? For those organizations still relying on manual methods to manage certificates, it’s time to pull the plug on outdated processes. Automation isn’t just an upgrade—it’s essential for achieving crypto-agility and future-proofing security.
As we brace for even bigger challenges on the horizon, like the shift to post-quantum cryptography, crypto-agility becomes not just an advantage but a necessity. It’s the only way to get ahead and navigate the changes that are coming.
Need help with migrating your certificates from Entrust to a new trusted public CA? Talk to an expert!
*** This is a Security Bloggers Network syndicated blog from Blogs Archive - AppViewX authored by Krupa Patil. Read the original post at: https://www.appviewx.com/blogs/the-entrust-distrust-deadline-is-closing-in-are-you-prepared/