Release 3.7

July 10, 2024

What's New?

Update on Digital Certificate Trust

Google has announced a policy update regarding digital security certificates. Due to repeated compliance failures, certificates issued by the Certificate Authority (CA) Entrust will no longer be trusted. This policy is implemented to maintain the integrity and security of websites accessed through Google's services.

Action Required for Website Operators: Transition to a New Certificate Authority

Affected website operators are advised to switch to a new publicly trusted certificate authority as soon as possible. This change is crucial for maintaining website trustworthiness and security for users accessing sites through Google.

Deadline for Completion

The transition to a new CA must be finalized before the current Entrust-issued certificates expire. Priority should be given to certificates expiring after October 31, 2024, to ensure continuity in trust and access.

Implementation Guidance

  1. Identify certificates that are issued by Entrust.

    Use the tokens certificate:(browserDistrust:potential),certificate:(browserDistrustExpiryGroup:)certificate:(browserDistrustIssuedByEntrust:)

  2. Select a new publicly-trusted CA and initiate the process for obtaining new certificates.
  3. Update your systems with the new certificates well before the October 31, 2024, deadline to avoid service disruptions.

For guidance on selecting a new CA, refer to the Configure Certificate Authorities section of the Certificate View online help.

Dashboard Widget for Entrust Certificates

We have also introduced dashboard widgets for  identifying certificates issued by Entrust and taking necessary action to update your systems with the new certificates issued by trusted authorities.

You can import the JSON file to use this dashboard. Click here to download the file.

To know more about how to import the dashboard, refer to the Qualys Unified Dashboard Online help. 

Root and Intermediate Certificate Assessment

With this release, it is now possible to view the certificate paths for leaf and intermediate certificates along with the root certificate. Earlier, visibility was limited to the root certificate path.

Benefits

You can get a complete assessment for Root and Intermediate, including a detailed assessment report, certificate strength, signature algorithm, and cipher suits, and you can monitor their expiration.

View Certificate path.

Filters for Certificates Type

For easier navigation, the left pane of the Certificate View now has filters. These filters display the count of certificates based on their types, such as  LeafIntermediate,  and Root .

Leaf filter

New Tokens for Certificates Tab

Token Description Example
certificate:(type: ) Use certificate type as Intermediate, Leaf, or Root to search these types of certificates. certificate:(type:leaf)
certificate:(browserDistrust: ) Use this token to search a list of leaf certificates distrusted by Google Chrome. certificate:(browserDistrust:potential)
certificate:(browserDistrustIssuedByEntrust:) Use the subject name as the token value to search a list of leaf certificates issued by the certificate authority (CA) Entrust, which Google Chrome no longer trusts. certificate:(browserDistrustIssuedByEntrust: Entrust Root Certification Authority)
certificate:(browserDistrustExpiryGroup: ) Use the values such as 0-30 Days | 31-60 Days | 61-90 Days| 180+ Days | 91-180 Days | Expired
to search a list of leaf certificates issued by the certificate authority (CA) Entrust, which Google Chrome no longer trusts.
certificate:(browserDistrustExpiryGroup: 61-90 Days)

New Tokens for Assets Tab

Token Description Example
certificate:(type:) Use certificate type as Intermediate, Leaf, or Root to search assets associated with these certificate types. certificate:(type:Intermediate)
certificate:(browserDistrust: ) Use this token to search a list of assets associated with leaf certificates distrusted by Google Chrome. certificate:(browserDistrust:potential)
certificate:(browserDistrustIssuedByEntrust:) Use the subject name as the token value to search a list of assets associated with leaf certificates issued by the certificate authority (CA) Entrust, which Google Chrome no longer trusts. certificate:(browserDistrustIssuedByEntrust: Entrust Root Certification Authority)
certificate:(browserDistrustExpiryGroup: ) Use the values such as 0-30 Days | 31-60 Days | 61-90 Days| 180+ Days | 91-180 Days | Expired
to search a list of assets associated with leaf certificates issued by the certificate authority (CA) Entrust, which Google Chrome no longer trusts.
certificate:(browserDistrustExpiryGroup: 61-90 Days)

Create a Report Using New Tokens

With this release, you can use the newly introduced tokens in the query to create various reports.

For example, 

  • Use certificate:(type:) token to get details of certificates based on their types, such as intermediate, leaf, or root. 
  • Use certificate:(browserDistrust: ), certificate:(browserDistrustIssuedByEntrust:)certificate:(browserDistrustExpiryGroup: ) tokens to identify certificates that are issued by Entrust and take necessary action to update your systems with the new certificates by trusted authorities.

API Features and Enhancements

  • With this release, you can now view certificates and instance details of assets detected by the Web App Scanning (WAS) app using the following Certificate View APIs.
    • List CertView Certificates (v1)
    • List CertView Certificates (v2) 
    • List Assets for a Certificate
    • List Server Instances 

For detailed information on APIs, refer to the Certificate View API Release Notes.

Issue Addressed

  • We resolved an issue where the user could not see internal sites in the Internal Sites tab by making relevant code changes.