Google Chrome to block Entrust certificates by default from November 2024

Google has announced that it will block Entrust certificates issued after October 31, 2024 by default in Google Chrome, citing a number of reasons that the company has undermined confidence in the competence, reliability, and integrity of Entrust as a certificate authority owner.

Google Online Security Blog: Sustaining Digital Certificate Security - Entrust Certificate Distrust

Google cuts ties with Entrust in Chrome over trust issues • The Register

Google describes certificate authorities as 'a privileged and trusted role on the Internet that underpins the encrypted connections between browsers and websites,' and explains that as a result of their enormous responsibilities, they are 'expected to comply with reasonable, agreed-upon security and compliance requirements.'

However, Google has pointed out that Entrust has had a series of 'failures to comply with regulations,' 'failure to meet remediation targets,' and 'lack of concrete, measurable progress on publicly reported incidents' over the past six years, and that 'given the inherent risks that each publicly trusted certificate authority poses to the Internet ecosystem, there is no longer a basis for Google Chrome to continue to trust Entrust.'

Google Chrome 127 and later will not trust TLS server authentication certificates by default if the Entrust signed certificate timestamp is later than October 31, 2024. The blocking measure will be applied to Windows, macOS, ChromeOS, Android, and Linux from November 1, 2024 onwards.

The reason why the iOS version is not included is that Apple's policy prohibits the use of 'Chrome Certificate Verifier' and 'Chrome Root Store', which are its own lists of root CAs.