As I expected, many clients will accept Entrust certificates issued after Nov 30. But to my surprise, several providers of PEM root bundles, notably Certifi/mkcert and curl, will begin automatically omitting Entrust roots after Nov 30 - meaning previously-issued Entrust certs will stop working! This is a complete misinterpretation of Mozilla's Distrust After attribute, and will cause unexpected breakage. I have opened bugs, but I expect other consumers have also misinterpreted Distrust After, so it would be prudent to replace existing Entrust certs.
Conversation
Notices
-
Embed this notice
Andrew Ayer (agwa@follow.agwa.name)'s status on Tuesday, 12-Nov-2024 14:33:13 JST Andrew Ayer
-
Embed this notice
Andrew Ayer (agwa@follow.agwa.name)'s status on Tuesday, 12-Nov-2024 14:33:14 JST Andrew Ayer
I looked into how non-browser clients that use the Mozilla root store (i.e. all of Linux) will handle the upcoming Entrust distrust, which is supposed to distrust certificates issued after November 30, 2024: https://sslmate.com/blog/post/entrust_distrust_more_disruptive_than_intended
Spoiler: not wellBlaise Pabón - controlpl4n3 repeated this.
-
Embed this notice