EntrustのTLSサーバー証明書がGoogle Chromeに信頼されなくなる(2024/11/01以降)[Distrust]

Chrome Distrust
Microsoft Copilotにより生成

概要

「2024/11/01以降、Entrust のTLSサーバー証明書はGoogle Chromeで信頼されなくなる」と2024/06/27にGoogle Security Blogよりアナウンスされた。
以下、EntrustルートCAのTLSサーバー証明書に対して、信頼されなくなる。(Chrome127以降)
ただし、2024年10月31日以前に発行されるTLSサーバー証明書は、この変更の影響を受けない。

  1. CN=Entrust Root Certification Authority – EC1,OU=See www.entrust.net/legal-terms+OU=(c) 2012 Entrust, Inc. – for authorized use only,O=Entrust, Inc.,C=US
  2. CN=Entrust Root Certification Authority – G2,OU=See www.entrust.net/legal-terms+OU=(c) 2009 Entrust, Inc. – for authorized use only,O=Entrust, Inc.,C=US
  3. CN=Entrust.net Certification Authority (2048),OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)+OU=(c) 1999 Entrust.net Limited,O=Entrust.net
  4. CN=Entrust Root Certification Authority,OU=www.entrust.net/CPS is incorporated by reference+OU=(c) 2006 Entrust, Inc.,O=Entrust, Inc.,C=US
  5. CN=Entrust Root Certification Authority – G4,OU=See www.entrust.net/legal-terms+OU=(c) 2015 Entrust, Inc. – for authorized use only,O=Entrust, Inc.,C=US
  6. CN=AffirmTrust Commercial,O=AffirmTrust,C=US
  7. CN=AffirmTrust Networking,O=AffirmTrust,C=US
  8. CN=AffirmTrust Premium,O=AffirmTrust,C=US
  9. CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US

この対応は、既存の利用者に対する影響を最小限に抑えるため、証明書のSCTに基づいてデフォルトの信頼を削除するChromeの新機能を使用している。

信頼されない証明書を使用したサイトにアクセスしようとすると「この接続ではプライバシーが保護されません。【FQDN名】では、悪意のあるユーザーによって、パスワード、メッセージ、クレジット カードなどの情報が盗まれる可能性があります。詳細 NET::ERR_CERT_AUTHORITY_INVALID」という警告が表示される。

この接続ではプライバシーが保護されません。【FQDN名】では、悪意のあるユーザーによって、パスワード、メッセージ、クレジット カードなどの情報が盗まれる可能性があります。詳細
NET::ERR_CERT_AUTHORITY_INVALID

参照
Sustaining Digital Certificate Security – Entrust Certificate Distrust (June 27, 2024)

影響

EntrustのPrecertificatesでUnexpired(有効期限内の証明書)は「569,877」枚存在している。(2024/06/30)

https://crt.sh/cert-populations

AppViewXの最近の調査によると、Fortune 1000 企業の90%が3つ以上の認証局(CA)を利用しており、そのうち20%以上がEntrustを利用しているようである。

From recent research, AppViewX discovered a striking statistic: 90% of Fortune 1000 companies utilize more than 3 Certificate Authorities (CAs), with over 20 percent using Entrust. 

https://www.appviewx.com/blogs/attention-google-to-distrust-entrust-tls-certificates/

(利用例)
Washington Post

openssl s_client -connect www.washingtonpost.com:443
CONNECTED(000001D8)
depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2016 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1J
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = District of Columbia, L = Washington, jurisdictionC = US, jurisdictionST = Delaware, O = The Washington Post (WP Company LLC), businessCategory = Private Organization, serialNumber = 415412, CN = www.washingtonpost.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = District of Columbia, L = Washington, jurisdictionC = US, jurisdictionST = Delaware, O = The Washington Post (WP Company LLC), businessCategory = Private Organization, serialNumber = 415412, CN = www.washingtonpost.com
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2016 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1J
 1 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2016 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1J
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - EC1
---

Dell

openssl s_client -connect www.dell.com:443
CONNECTED(000001E0)
depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = Texas, L = Round Rock, O = Dell, CN = *.dell.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = Texas, L = Round Rock, O = Dell, CN = *.dell.com
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
 1 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
---

P&G ジャパン

openssl s_client -connect jp.pg.com:443
CONNECTED(000001D8)
depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
verify return:1
depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
verify return:1
depth=0 C = US, ST = Ohio, L = Cincinnati, O = The Procter and Gamble Co., CN = *.jp.pg.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = Ohio, L = Cincinnati, O = The Procter and Gamble Co., CN = *.jp.pg.com
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
 1 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
 2 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
---

過去のインシデント

過去6年間、公開されたインシデントレポートは、Entrustによる懸念すべき行動のパターンを示しており、これは上記の期待を満たしていないことを示している。これにより、Entrustの能力、信頼性、完全性に対する信頼が低下している。

また、MozillaのWebページにもEntrustの最近(2024年3月1日~5月10日)の違反内容(22件)が掲載されており、問題とされていた。
CA/Entrust Issues

A. Incidents related to Missing CPS URI in EV Certificates(7件)
The incidents listed below in this section A are related to Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1883843 .

  1. EV TLS Certificate cPSuri missing –
    EV TLS証明書にcPSuriがない
    https://bugzilla.mozilla.org/show_bug.cgi?id=1883843
  2. Failed to provide a preliminary incident report according to TLS BR 4.9.5 –
    TLS BR 4.9.5に従って予備的なインシデントレポートを提供できなかった(Googleからの連絡)
    https://bugzilla.mozilla.org/show_bug.cgi?id=1890123
  3. CPR was not responded to in 24 hours –
    24時間以内にCPRが受けられなかった
    https://bugzilla.mozilla.org/show_bug.cgi?id=1885754
  4. Delayed revocation of EV TLS certificates with missing cPSuri –
    EV TLS証明書にcPSuriがない証明書の失効遅延
    https://bugzilla.mozilla.org/show_bug.cgi?id=1886532
  5. EV Certificate missing Issuer’s EV Policy OID –
    EV証明書に発行者のEVポリシーOIDがない
    https://bugzilla.mozilla.org/show_bug.cgi?id=1888714
  6. Delay in Updating CPS –
    EV証明書に発行者のEVポリシーOIDがない証明書の失効遅延
    https://bugzilla.mozilla.org/show_bug.cgi?id=1887753
  7. Failure to revoke EV TLS certificates issued before CPS update –
    CPS更新前に発行されたEV TLS証明書を失効させなかった
    https://bugzilla.mozilla.org/show_bug.cgi?id=1890685

B. Certificates without serverAuth EKU and Delayed Revocation(2件)

  1. clientAuth TLS Certificates without serverAuth EKU –
    serverAuth EKUのないclientAuth TLS証明書
    https://bugzilla.mozilla.org/show_bug.cgi?id=1886467
  2. Delayed revocation of clientAuth TLS Certificates without serverAuth EKU –
    serverAuth EKUのないclientAuth TLS証明書の失効遅延
    https://bugzilla.mozilla.org/show_bug.cgi?id=1887705

C. Policy-Procedure Failure: CPS(4件)

  1. CPS typographical (text placement) error –
    CPS の誤植(テキスト配置)エラー
    https://bugzilla.mozilla.org/show_bug.cgi?id=1890896
  2. Delayed incident report – CPS typographical (text placement) error (Closed) –
    遅延インシデントレポート – CPS 誤字(テキスト配置)エラー(クローズ)
    https://bugzilla.mozilla.org/show_bug.cgi?id=1890901
  3. Failure to revoke OV TLS – CPS typographical (text placement) error –
    OV TLSの失効の失敗 – CPSの誤字(テキスト配置)エラー
    https://bugzilla.mozilla.org/show_bug.cgi?id=1890898
  4. Not updating Problem Reporting Mechanism fields in CCADB –
    CCADBの問題報告メカニズムフィールドが更新されない
    https://bugzilla.mozilla.org/show_bug.cgi?id=1894111

D. OCSP and CRL Issues(2件)

  1. OCSP response signed with SHA-1 –
    SHA-1で署名されたOCSPレスポンス
    https://bugzilla.mozilla.org/show_bug.cgi?id=1879602
  2. CRL non-conformance with the TLS BRs (Closed) –
    CRL が TLS BR に準拠していない (終了)
    https://bugzilla.mozilla.org/show_bug.cgi?id=1889217

E. Issues in Recent History(7件)

  1. Invalid data in State/Province Field –
    州/県フィールドに無効なデータがある
    https://bugzilla.mozilla.org/show_bug.cgi?id=1658792
  2. Late Revocation for Invalid State/Province Issue –
    州/県フィールドに無効なデータがある証明書の失効遅延
    https://bugzilla.mozilla.org/show_bug.cgi?id=1658794
  3. EV TLS Certificate incorrect jurisdiction –
    EV TLS証明書で管轄地域が間違っている
    https://bugzilla.mozilla.org/show_bug.cgi?id=1802916
  4. Delayed Revocation for EV TLS Certificate incorrect jurisdiction –
    EV TLS証明書で管轄地域が間違っている証明書の失効遅延
    https://bugzilla.mozilla.org/show_bug.cgi?id=1804753
  5. Jurisdiction Locality Wrong in EV Certificate –
    EV TLS証明書で管轄地域が間違っている(郵便番号の混入)
    https://bugzilla.mozilla.org/show_bug.cgi?id=1867130
  6. SHA-256 hash algorithm used with ECC P-384 key –
    ECC P-384キーで使用されるSHA-256ハッシュアルゴリズム(本来はSHA-384が使用されるべき)
    https://bugzilla.mozilla.org/show_bug.cgi?id=1648472
  7. Late Revocation due to SHA-256 hash algorithm –
    ECC P-384キーで使用されるSHA-256ハッシュアルゴリズム証明書の失効遅延
    https://bugzilla.mozilla.org/show_bug.cgi?id=1651481

Bug List 59件(2024/06/30時点)

IDSummaryStatus▲Updated
1879602Entrust: OCSP response signed with SHA-1ASSI
1887753Entrust: Delay in Updating CPSASSI
1888714Entrust: EV Certificate missing Issuer’s EV Policy OIDASSI
1890685Entrust: Failure to revoke EV TLS certificates issued before CPS updateASSI
1890896Entrust: CPS typographical (text placement) errorASSI
1890898Entrust: Failure to revoke OV TLS – CPS typographical (text placement) errorASSI
1894111Entrust: Not updating Problem Reporting Mechanism fields in CCADBASSI
1901270Entrust: Action Items from June 2024 ReportASSI
1897630Entrust: Jurisdiction issue in some EV TLS & Code Signing certificatesASSI
1898847Entrust: Delayed reporting of Jurisdiction issue in some EV TLS & Code Signing certificatesASSI
1898848Entrust: Delayed revocation of certificates affected by Jurisdiction issue in some EV TLS & Code Signing certificatesASSI
1883843Entrust: EV TLS Certificate cPSuri missingASSI
1885754Entrust: CPR was not responded to in 24 hoursASSI
1886532Entrust: Delayed revocation of EV TLS certificates with missing cPSuriASSI
1887705Entrust: Delayed revocation of clientAuth TLS Certificates without serverAuth EKUASSI
1890123Entrust: Failed to provide a preliminary incident report according to TLS BR 4.9.5ASSI
1428891Entrust: Non-BR-Compliant OCSP ResponderRESO2023-02-22
1448986Entrust: IP Address in dNSName formRESO2023-02-22
1512018Entrust: Certificate issued with ‘-‘ in ST fieldRESO2023-02-22
1520876Entrust: Late mis-issue certificate revocationRESO2023-02-22
1521520Entrust: Late revocation of underscore certificateRESO2023-02-22
1524876Entrust: IP in dnsNameRESO2023-02-22
1549862Entrust: Outdated audit statement for intermediate certRESO2023-02-22
1552562Entrust: Question marks in certificate O and L fieldsRESO2023-02-22
1561013Entrust: Certificate issued with validity greater than 825-daysRESO2023-02-22
1567659Entrust: SHA-1 Issuance and other misissuance while testingRESO2023-02-22
1627346Entrust: S/MIME Certificate Issued with Incorrect Policy OIDRESO2023-02-22
1635096Entrust: Printable String Constraint FailureRESO2023-02-22
1636339Entrust: Failure to revoke a certificateRESO2023-02-22
1648472Entrust: SHA-256 hash algorithm used with ECC P-384 keyRESO2023-02-22
1651481Entrust: Late Revocation due to SHA-256 hash algorithmRESO2023-02-22
1667448Entrust: Incorrect keyUsage for ECC certificateRESO2023-02-22
1673119Entrust: Subscriber provides private key with CSRRESO2023-02-22
1675295Entrust: Invalid data in commonName fieldsRESO2022-11-14
1731887Entrust: Test Website Certificates ExpiredRESO2023-02-22
1737057Entrust: CRLs and OCSP responses not issued as specified in the CPSRESO2023-02-22
1744827Entrust: SSL Certificates issued with Un-verified IP AddressesRESO2024-03-08
1748634Entrust: Late Revocation for SSL Certificates issued with Un-verified IP AddressesRESO2023-02-22
1766525Entrust: TLS Certificate issued with a key that is impacted by the Close Primes vulnerabilityRESO2023-02-22
1792231Entrust: TLS Certificate issued with an incorrect state or provinceRESO2023-04-19
1802916Entrust: EV TLS Certificate incorrect jurisdictionRESO2023-04-24
1804753Entrust: Delayed Revocation for EV TLS Certificate incorrect jurisdictionRESO2023-04-19
1867130Entrust: Jurisdiction Locality Wrong in EV CertificateRESO2024-05-10
1889217Entrust: CRL non-conformance with the TLS BRsRESO2024-05-05
1890901Entrust: Delayed incident report – CPS typographical (text placement) errorRESO2024-05-05
1535735Entrust: Issued Certificates to incorrect OrganizationRESO2023-02-22
1536287Entrust: AffirmTrust Issuing CA Impacted by EJBCA Serial Number IssueRESO2023-02-22
1559376Entrust: Certificate Issued with Incorrect Country CodeRESO2023-02-22
1599484Entrust: EV Certificates Issued with Business Category “Non-Commercial” when it should have been set to “Private Organization”RESO2023-02-22
1611241Entrust: Compromised Private Key was not Revoked in Less than 24 HoursRESO2023-02-22
1658792Entrust: Invalid data in State/Province FieldRESO2023-02-22
1658794Entrust: Late Revocation for Invalid State/Province IssueRESO2023-02-22
1667690Entrust: Failure to provide a preliminary report within 24 hours.RESO2023-02-22
1685370Entrust: Incorrect Business Category Value Discovered in an EV SSL CertificateRESO2023-02-22
1696227Entrust: Incorrect Jurisdiction Country Value in an EV CertificateRESO2023-02-22
1712106Entrust: Invalid localityNameRESO2023-02-22
1390996Entrust: Non-BR-Compliant Certificate IssuanceRESO2023-02-22
1728796Entrust: Incorrect value in Business Category field for Government EntitiesRESO2023-02-22
1886467Entrust: clientAuth TLS Certificates without serverAuth EKURESO2024-06-28

Google Chromeの過去のDistrust事案

タイトルとURLをコピーしました