Skip to content

Mozilla to stop trusting Entrust’s TLS certificates

  • by
  • 2 min read

Mozilla has announced that it’s officially distrusting Entrust a, a root certificate authority (CA), starting November 30, 2024, after an extended period of compliance failures. Google has already cut ties with Entrust in Chrome over trust issues in June after Mozilla published a long list of certificate issues from the CA in March and May 2024.

The company’s root store manager, Ben Wilson, shared an email announcing the decision. The email states that despite Entrust’s attempts, the CA’s response didn’t do much to concern Mozilla that the situation will change anytime soon. “Although Entrust’s updated report made an effort to engage with these issues, the commitments given in the report were not meaningfully different from the previous commitments in 2020 and broken in the recent incidents,” states Wilson.

That said, Mozilla does support Entrust’s agreement with SSL.com to act as its External Registration Authority (RA), vetting certificate applicants before handing out security certificates on the site’s behalf. SSL.com, as the operator of the root CA within Mozilla’s root CA program, SSL.com will be responsible for “domain validation, certificate issuance, and revocation, and ultimately, for any incidents that may occur.”

Entrust has previously apologised to Google, Mozilla and the larger web community. The company has also outlined plans to regain the trust of two of the most popular browsers. However, these plans and measures have exceeded Google and Mozilla’s expectations. Hence, starting November 30, 2024, Mozilla will implement a distrust on the following TLS certificates issued by the following root CAs:

  • CN=AffirmTrust Commercial
  • CN=AffirmTrust Networking
  • CN=AffirmTrust Premium
  • CN=AffirmTrust Premium ECC
  • CN=Entrust Root Certification Authority
  • CN=Entrust Root Certification Authority – EC1
  • CN=Entrust Root Certification Authority – G2
  • CN=Entrust Root Certification Authority – G4
  • CN=Entrust.net Certification Authority (2048)

In a response to Mozilla’s announcement, Entrust stated that it is “disappointed by this decision”. The response also reiterated the company’s commitment to “continued execution of our improvement plan and re-establishing confidence with Mozilla and the Web PKI community.”

In the News: Telegram rolls out a mini app store

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>