All, In line with what was earlier announced in this thread, the CA Key transfer from Entrust to Sectigo has been completed earlier today.
Regards, Martijn Sectigo From: 'Nick France' via CCADB Public <[email protected]> Date: Tuesday, 24 June 2025 at 12:01 To: CCADB Public <[email protected]> Subject: Announcement: CA Key transfer from Entrust to Sectigo This Message Is From an External Sender This message came from outside your organization. Report Suspicious<https://us-phishalarm-ewt.proofpoint.com/EWT/v1/J5K_pWsD!CWYdUC31PMpyy1Oq2fn844wMnqmgynVZ_YwkhcMXzIeH2EG0K3zKwGWACJb0RB5NoJWk4DJWT4v3nM-xjlTNZyClHx3agKpYBWaRPoMkww$> All, Sectigo and Entrust would like to update the wider community on our plan for the publicly-trusted Entrust root and subordinate CAs, and invite any questions or discussions around these plans. As previously stated, Sectigo acquired customers and customer contracts from Entrust, but did not transfer staff, infrastructure or other assets. We are now planning to transfer ownership and control of the keys for some of the Entrust publicly-trusted root and subordinate CAs to Sectigo. Those which will not be transferred will be revoked prior to the transfer, and later the keys will be destroyed. The CAs not being transferred comprise of roots and CAs that were never used by subscribers, and also the roots and CAs for 'Affirmtrust'. There are two main reasons for this plan: 1) Entrust is exiting the public CA business. As such, its CA infrastructure and the corresponding revocation and status services will be wound-down and decommissioned. However, there are a large number of valid, long-lived certificates still in use as well as an even larger number of signed documents, code and other objects. Entrust wants to ensure that revocation and status services (CRL and OCSP) remain operational for as long as possible so as not to impact those long-lived certificates and objects signed from them. Sectigo will take over operation of these services from Entrust and maintain them for the foreseeable future. 2) We (Sectigo) have learned of a number of subscribers who have need for TLS certificates signed under Entrust roots. The Entrust TLS CAs were shut down in mid-March, so this isn't currently possible. Entrust has signed a subordinate CA from the Entrust G2 root, which Sectigo will operate and issue fully-compliant (though-distrusted) certificates from. Issuance from this new subordinate CA will be tightly controlled to specific subscribers, and available for a limited time. I will note that many if not all of the use-cases that require these Entrust-issued certificates are examples of infrastructure and architecture that should *not* need publicly-trusted certificates from the WebPKI. Sectigo is committed to assisting these subscribers to migrate this infrastructure to private PKI or alternative solutions, though we are aware that in many cases this process can take some time. Sectigo already advise subscribers to the appropriate use of public versus private PKI for their infrastructure, and we are hopeful that changes such as SC-081, the removal of clientAuth from server certificates, and shortened lifetimes of issuing CAs and more frequent root CA rollovers will go a long way to encouraging subscribers to adopt appropriate technology moving forward. An overview of the current plan is: Effect a legal and physical transfer of the keys for the Entrust root and subordinate CAs to Sectigo. The physical transfer of the keys is tentatively scheduled for early August 2025. Once transfer has been completed and verified, a cutover will occur and the FQDNs for the revocation and status services will be pointed to Sectigo. We are currently aiming this to be in mid-September. Finally, Entrust will perform an audited, witnessed destruction of their copies of the keys and provide those reports to Sectigo, browsers and trust-store operators on request. The CRL and OCSP services, as well as any limited issuance from CAs, will be operated in full compliance with all industry requirements and on existing Sectigo infrastructure just as the Sectigo infrastructure operates today. Browsers and trust-store operators have already been notified of these plans and have been asked to voice any concerns or objections if they wish. Please do ask any questions, and the teams at Sectigo and Entrust will happily answer as needed. Thanks, Nick -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/d3d39dd5-c499-41d5-8215-e7df5ce1ae73n%40ccadb.org<https://urldefense.com/v3/__https://groups.google.com/a/ccadb.org/d/msgid/public/d3d39dd5-c499-41d5-8215-e7df5ce1ae73n*40ccadb.org?utm_medium=email&utm_source=footer__;JQ!!J5K_pWsD!xnt5C9m_4a1iMGpcsj2o7R5ZkTQZDWIMXwag1pzsjXyZIfROYLS6M6AsDBhXGjc6bV9gke0kSsiVydHxS0F66Q$>. -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/SA1PR17MB6503747B178BC5381C0FFE82E30FA%40SA1PR17MB6503.namprd17.prod.outlook.com.
