Entrust distrust by major browsers
Google Chrome and Mozilla have announced they will no longer trust certificates issued from Entrust’s root CAs.
Since Entrust is not within the certificate authorities used by Cloudflare, this change may only affect customers who upload custom certificates issued by Entrust.
New Entrust certificates issued on November 12, 2024 or after will not be trusted on Chrome by default. And new Entrust certificates issued on December 1, 2024 or after will not be trusted on Mozilla by default.
Refer to the announcements (Chrome ↗, Mozilla ↗) for a full list of roots that will be distrusted.
To prevent their customers from facing issues, Entrust has partnered with SSL.com, a different certificate authority, trusted by both Chrome and Mozilla.
This means that Entrust certificates will be issued using SSL.com roots.
Since Cloudflare also partners with SSL.com, you can switch from uploading custom certificates to using Cloudflare’s managed certificates. This change brings the following advantages:
- Use Advanced certificates to have more control and flexibility while also benefitting from automatic renewals.
- Enable Total TLS to automatically issue certificates for your proxied hostnames.
- Use Delegated DCV to reduce manual intervention when renewing certificates for partial (CNAME) setup zones.
- If you are a SaaS provider, extend the benefits of automatic renewals to your customers by specifying SSL.com as the certificate authority when creating or editing your custom hostnames (API only).