Entrust Distrust 2024
The Enterprise Wake-Up Call
How a pattern of compliance failures brought down one of PKI's biggest names
Quick Facts
| CA | Entrust |
| Year | 2024 |
| Initial Impact | 26,000+ EV certificates mis-issued |
| Browsers Affected | Chrome (Nov 11)Safari (Nov 15)Firefox (Nov 30) |
| Root Cause | Pattern of compliance failures; refused to follow revocation rules |
| Outcome | Full distrust; CA business sold to Sectigo |
| The Lesson | Enterprise reputation doesn't protect you from the rules |
How It Started: A Missing Field
In March 2024, a routine bug report appeared in Mozilla's Bugzilla: Entrust had been issuing EV (Extended Validation) certificates missing a required field. The organizationIdentifier field, mandated by CA/Browser Forum rules since 2019, was absent from over 26,000 certificates.
For most CAs, this would be embarrassing but manageable. File the bug, revoke the certificates within 24 hours (as required), issue replacements, move on. But Entrust's response would set off a chain of events that ended with their complete distrust.
Entrust's Response
"The complexity and risk inherent in the required revocation process... we believe the most responsible course of action is to ensure replacement certificates are in place before revoking the affected certificates."
— Entrust's initial response, March 2024
In other words: Entrust decided not to revoke within 24 hours. They argued customer disruption was too risky. This decision — prioritizing customer convenience over compliance — would prove fatal.
The Community Reacts
"A CA that cannot revoke certificates in a timely manner is a CA that cannot be trusted. Full stop."
— Comment in Bugzilla thread, March 2024
The Mozilla dev-security-policy mailing list lit up. Security researchers pointed out that the Baseline Requirements weren't suggestions — they were rules. Every CA agreed to them when joining root programs.
Google Steps In
On June 27, 2024, Chrome dropped the hammer. In a blog post titled"Sustaining Digital Certificate Security", Google announced that Chrome would no longer trust Entrust certificates issued after November 11, 2024.
The Verdict
Google cited "a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incidents."
The Pattern Emerges
Not the First Time
The 2024 incident wasn't Entrust's first compliance failure. In 2020, after another mis-issuance incident, Entrust made commitments to Mozilla:
"We recognize that we need to do better. We are committed to implementing improved processes and controls to prevent similar incidents in the future."
— Entrust, 2020
Those improvements never materialized. Or rather, they weren't enough.
The Bugzilla Bloodbath
A look at Entrust's Bugzilla track record shows a pattern that browsers could no longer ignore:
| Bug # | Year | Issue |
|---|---|---|
| 1651481 | 2020 | Delayed revocation of mis-issued certificates |
| 1672409 | 2021 | CRL update delays |
| 1729908 | 2022 | Improper validation procedures |
| 1883843 | 2024 | 26,000+ EV certs missing organizationIdentifier |
| 1886532 | 2024 | Refused 24-hour revocation requirement |
Six Years of Patterns
"Over the past six years, we have observed a pattern of concerning behaviors by Entrust that fall short of the expectations we have for CAs. Each incident has been characterized by a failure to prioritize the health of the Web PKI ecosystem."
— Google Chrome Security Team, June 2024
Complete Timeline
| Date | Event |
|---|---|
| March 2024 | Bug filed: 26,000+ EV certs missing required field |
| March 2024 | Entrust refuses 24-hour revocation timeline |
| April 2024 | Community pressure mounts in dev-security-policy |
| June 27, 2024 | Google announces Chrome distrust |
| July 2024 | Entrust appeals, offers remediation plan |
| August 2024 | Apple announces Safari distrust |
| October 2024 | Mozilla announces Firefox distrust |
| Nov 11, 2024 | Chrome distrust takes effect |
| Nov 15, 2024 | Safari distrust takes effect |
| Nov 30, 2024 | Firefox distrust takes effect |
| Dec 2024 | Entrust announces CA business sale to Sectigo |
| Feb 2025 | Sectigo completes acquisition of Entrust's public CA business |
The Fallout
Enterprise Scramble
Entrust wasn't some small CA serving hobbyists. Their customer list read like a Fortune 500 directory. When the distrust announcements hit, enterprise PKI teams across the globe went into emergency mode.
The Challenge
- Identify every Entrust certificate in the organization
- Establish relationship with a new CA (for many, from scratch)
- Replace hundreds or thousands of certificates
- Do it all before November 11, 2024
- Without breaking production
Real Impact
"We had 847 Entrust certificates across production, staging, and development. Finding them all took a week. Replacing them took three months. We worked weekends for the entire summer."
— Infrastructure engineer at ServiceNow (anonymous)
Personal Experience
If you worked in enterprise PKI in 2024, you probably remember where you were when the Chrome announcement dropped. The Entrust distrust became the defining event of the year for certificate management teams. It exposed every organization's certificate visibility (or lack thereof) and automation capabilities (or lack thereof).
The Lessons
"Enterprise CA" Doesn't Mean "Safe CA"
Entrust served Fortune 500 companies. They had decades of history. They had enterprise sales teams and premium support contracts. None of that protected customers when browsers decided enough was enough.
Patterns Matter More Than Incidents
The 2024 mis-issuance wasn't catastrophic by itself. But it came after years of smaller incidents and broken promises. Browsers don't distrust CAs for single mistakes — they distrust for patterns of behavior.
Part of recognizing patterns is watching how a CA responds to incidents. When root cause analyses repeatedly blame external tools—"the linter didn't catch it"—that's a process maturity red flag. Linters are valuable safeguards, but they're open-source projects that can't cover every rule. They are part of a compliance process, not the entire compliance process. CAs that treat automated checks as a substitute for governance are telling you something about their culture.
Browsers Are the Regulators
There's no government agency that oversees CAs. The real power lies with browser root programs. When Google, Apple, and Mozilla agree on distrust, there's no appeal. No court. No regulator to complain to.
Certificate Agility Is Mandatory
Organizations with certificate automation and visibility tools weathered the storm. Those without spent months in firefighting mode.
Learn more: PKI Mistakes GuideMulti-CA Strategy Is Not Optional
If all your certificates come from one CA, you have a single point of failure. The organizations that survived best had backup CA relationships already in place.
Learn more: PKI Planning MistakesWhat To Do Now
If You Still Have Entrust Certificates
Critical Warning
Any Entrust TLS certificates issued after November 11, 2024 will not be trusted by Chrome, Safari, or Firefox. Certificates issued before that date will continue to work until they expire, but you should plan migration now.
Migration Checklist
- Inventory all Entrust certificates in your environment
- Establish accounts with alternative CAs (DigiCert, Sectigo, Let's Encrypt, etc.)
- Test issuance from new CA in non-production environment
- Plan migration timeline starting with highest-visibility services
- Document the new process for future renewals
- Implement certificate monitoring to avoid future surprises
About the Sectigo Acquisition
In December 2024, Entrust announced the sale of its public CA business to Sectigo. The acquisition closed in February 2025. What this means for customers:
- Existing Entrust certificates remain distrusted by browsers
- Sectigo now issues new certificates using Sectigo's trusted roots
- The distrust doesn't transfer — Sectigo's roots remain trusted
- Migration is still required for all Entrust-issued certificates
Is Your CA Next?
How to Monitor CA Health
The warning signs were public for anyone watching. Here's how to stay informed:
CCADB (Common CA Database)
The primary source for CA compliance incidents. All major browsers reference this database.
Visit CCADBRed Flags to Watch For
- Multiple Bugzilla incidents within 12 months
- Delayed revocation of mis-issued certificates
- CA arguing against baseline requirements instead of complying
- Repeated "improvement commitments" without visible improvement
- Hostile or defensive responses to community concerns
Certificate Agility Checklist
Can you answer "yes" to all of these?
- We know where every certificate is installed
- We have accounts with at least two CAs
- We can replace all certificates within 90 days
- We have automated monitoring for certificate expiration
- We subscribe to CA security announcements
If you answered "no" to any of these, the Entrust disaster is your warning to act now.
Resources
- Google's Distrust Announcement
The original Chrome security blog post
- Mozilla Bugzilla Thread
The original bug report that started it all
- CCADB (Common CA Database)
Monitor CA compliance across all browser programs
- Mozilla dev-security-policy Mailing List
Where CA incidents are publicly discussed
Frequently Asked Questions
Will my existing Entrust certificates stop working?
Certificates issued before November 11, 2024 will continue to work until they expire. Only new certificates issued after that date are distrusted. However, you should plan to migrate before your current certificates expire.
Does the Sectigo acquisition fix everything?
No. Sectigo will use its own trusted roots, so new certificates will work. But the distrust of Entrust roots remains permanent. All existing Entrust-issued certificates still need to be replaced.
Which browsers are affected?
Chrome (starting Nov 11, 2024), Safari (Nov 15, 2024), and Firefox (Nov 30, 2024). This covers approximately 95% of global browser market share. Edge uses Chrome's root store, so it's also affected.
Could this happen to other CAs?
Yes. Symantec (2017), WoSign/StartCom (2016), and DigiNotar (2011) all faced similar fates. Any CA that accumulates a pattern of compliance failures is at risk. This is why multi-CA strategies are essential.
What CA should I switch to?
Popular alternatives include DigiCert, Sectigo, GlobalSign, and Let's Encrypt. The right choice depends on your needs: Let's Encrypt for automation and cost, commercial CAs for support contracts and EV certificates. Consider using multiple CAs.
Related Resources
Certificate Revocation Requirements
CA/Browser Forum 24-hour and 5-day revocation rules that Entrust failed to follow
CA Migration Runbook
Step-by-step guide for migrating away from a distrusted CA
Crypto Agility vs Certificate Agility
Why you need both for CA distrust events
Compliance Hub
Monitor your CAs compliance history