Announcement: CA Key transfer from Entrust to Sectigo
646 views
Skip to first unread message
Nick France
Jun 24, 2025, 6:01:39 AMJun 24
to CCADB Public
All,
Sectigo and Entrust would like to update the wider community on our plan for the publicly-trusted Entrust root and subordinate CAs, and invite any questions or discussions around these plans.
As previously stated, Sectigo acquired customers and customer contracts from Entrust, but did not transfer staff, infrastructure or other assets.
We are now planning to transfer ownership and control of the keys for some of the Entrust publicly-trusted root and subordinate CAs to Sectigo.
Those which will not be transferred will be revoked prior to the transfer, and later the keys will be destroyed.
The CAs not being transferred comprise of roots and CAs that were never used by subscribers, and also the roots and CAs for 'Affirmtrust'.
There are two main reasons for this plan:
1) Entrust is exiting the public CA business. As such, its CA infrastructure and the corresponding revocation and status services will be wound-down and decommissioned. However, there are a large number of valid, long-lived certificates still in use as well as an even larger number of signed documents, code and other objects.
Entrust wants to ensure that revocation and status services (CRL and OCSP) remain operational for as long as possible so as not to impact those long-lived certificates and objects signed from them.
Sectigo will take over operation of these services from Entrust and maintain them for the foreseeable future.
2) We (Sectigo) have learned of a number of subscribers who have need for TLS certificates signed under Entrust roots. The Entrust TLS CAs were shut down in mid-March, so this isn't currently possible.
Entrust has signed a subordinate CA from the Entrust G2 root, which Sectigo will operate and issue fully-compliant (though-distrusted) certificates from.
Issuance from this new subordinate CA will be tightly controlled to specific subscribers, and available for a limited time.
I will note that many if not all of the use-cases that require these Entrust-issued certificates are examples of infrastructure and architecture that should *not* need publicly-trusted certificates from the WebPKI.
Sectigo is committed to assisting these subscribers to migrate this infrastructure to private PKI or alternative solutions, though we are aware that in many cases this process can take some time.
Sectigo already advise subscribers to the appropriate use of public versus private PKI for their infrastructure, and we are hopeful that changes such as SC-081, the removal of clientAuth from server certificates, and shortened lifetimes of issuing CAs and more frequent root CA rollovers will go a long way to encouraging subscribers to adopt appropriate technology moving forward.
An overview of the current plan is:
Effect a legal and physical transfer of the keys for the Entrust root and subordinate CAs to Sectigo.
The physical transfer of the keys is tentatively scheduled for early August 2025.
Once transfer has been completed and verified, a cutover will occur and the FQDNs for the revocation and status services will be pointed to Sectigo. We are currently aiming this to be in mid-September.
Finally, Entrust will perform an audited, witnessed destruction of their copies of the keys and provide those reports to Sectigo, browsers and trust-store operators on request.
The CRL and OCSP services, as well as any limited issuance from CAs, will be operated in full compliance with all industry requirements and on existing Sectigo infrastructure just as the Sectigo infrastructure operates today.
Browsers and trust-store operators have already been notified of these plans and have been asked to voice any concerns or objections if they wish.
Please do ask any questions, and the teams at Sectigo and Entrust will happily answer as needed.
Thanks,
Nick
Sectigo and Entrust would like to update the wider community on our plan for the publicly-trusted Entrust root and subordinate CAs, and invite any questions or discussions around these plans.
As previously stated, Sectigo acquired customers and customer contracts from Entrust, but did not transfer staff, infrastructure or other assets.
We are now planning to transfer ownership and control of the keys for some of the Entrust publicly-trusted root and subordinate CAs to Sectigo.
Those which will not be transferred will be revoked prior to the transfer, and later the keys will be destroyed.
The CAs not being transferred comprise of roots and CAs that were never used by subscribers, and also the roots and CAs for 'Affirmtrust'.
There are two main reasons for this plan:
1) Entrust is exiting the public CA business. As such, its CA infrastructure and the corresponding revocation and status services will be wound-down and decommissioned. However, there are a large number of valid, long-lived certificates still in use as well as an even larger number of signed documents, code and other objects.
Entrust wants to ensure that revocation and status services (CRL and OCSP) remain operational for as long as possible so as not to impact those long-lived certificates and objects signed from them.
Sectigo will take over operation of these services from Entrust and maintain them for the foreseeable future.
2) We (Sectigo) have learned of a number of subscribers who have need for TLS certificates signed under Entrust roots. The Entrust TLS CAs were shut down in mid-March, so this isn't currently possible.
Entrust has signed a subordinate CA from the Entrust G2 root, which Sectigo will operate and issue fully-compliant (though-distrusted) certificates from.
Issuance from this new subordinate CA will be tightly controlled to specific subscribers, and available for a limited time.
I will note that many if not all of the use-cases that require these Entrust-issued certificates are examples of infrastructure and architecture that should *not* need publicly-trusted certificates from the WebPKI.
Sectigo is committed to assisting these subscribers to migrate this infrastructure to private PKI or alternative solutions, though we are aware that in many cases this process can take some time.
Sectigo already advise subscribers to the appropriate use of public versus private PKI for their infrastructure, and we are hopeful that changes such as SC-081, the removal of clientAuth from server certificates, and shortened lifetimes of issuing CAs and more frequent root CA rollovers will go a long way to encouraging subscribers to adopt appropriate technology moving forward.
An overview of the current plan is:
Effect a legal and physical transfer of the keys for the Entrust root and subordinate CAs to Sectigo.
The physical transfer of the keys is tentatively scheduled for early August 2025.
Once transfer has been completed and verified, a cutover will occur and the FQDNs for the revocation and status services will be pointed to Sectigo. We are currently aiming this to be in mid-September.
Finally, Entrust will perform an audited, witnessed destruction of their copies of the keys and provide those reports to Sectigo, browsers and trust-store operators on request.
The CRL and OCSP services, as well as any limited issuance from CAs, will be operated in full compliance with all industry requirements and on existing Sectigo infrastructure just as the Sectigo infrastructure operates today.
Browsers and trust-store operators have already been notified of these plans and have been asked to voice any concerns or objections if they wish.
Please do ask any questions, and the teams at Sectigo and Entrust will happily answer as needed.
Thanks,
Nick
Martijn Katerbarg
Sep 9, 2025, 3:34:56 PM (10 days ago) Sep 9
to CCADB Public
All,
In line with what was earlier announced in this thread, the CA Key transfer from Entrust to Sectigo has been completed earlier today.
Regards,
Martijn
Sectigo
From: 'Nick France' via CCADB Public <pub...@ccadb.org>
Date: Tuesday, 24 June 2025 at 12:01
To: CCADB Public <pub...@ccadb.org>
Subject: Announcement: CA Key transfer from Entrust to Sectigo
Date: Tuesday, 24 June 2025 at 12:01
To: CCADB Public <pub...@ccadb.org>
Subject: Announcement: CA Key transfer from Entrust to Sectigo
This Message Is From an External Sender
This message came from outside your organization.
--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/d3d39dd5-c499-41d5-8215-e7df5ce1ae73n%40ccadb.org.
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/d3d39dd5-c499-41d5-8215-e7df5ce1ae73n%40ccadb.org.
Ben Wilson
Sep 9, 2025, 5:42:51 PM (10 days ago) Sep 9
to Martijn Katerbarg, CCADB Public
All,
On behalf of the CCADB Support Team, we would like to inform you that we are beginning the process of updating the CCADB to reflect the transfer of ownership of several root CAs from Entrust to Sectigo.
This work will include updating CCADB records at both the root CA and intermediate CA levels, as well as adjustments to associated document links. Once these updates are complete, Sectigo will need to create new document associations for these CA hierarchies, and we will also need to supersede the non-audit documents previously associated with Entrust.
We wanted to make the community aware that it may take several days for all CA hierarchy records to be fully updated. Thank you for your patience as we complete these updates.
Thanks,
Ben
Reply all
Reply to author
Forward
0 new messages