Release 3.7
July 29, 2024
What's New?
Update on Digital Certificate Trust
Google has announced a policy update regarding digital security certificates. Due to repeated compliance failures, certificates issued by the Certificate Authority (CA) Entrust will no longer be trusted. This policy is implemented to maintain the integrity and security of websites accessed through Google's services.
Action Required for Website Operators: Transition to a New Certificate Authority
Affected website operators are advised to switch to a new publicly trusted certificate authority as soon as possible. This change is crucial for maintaining website trustworthiness and security for users accessing sites through Google.
Deadline for Completion
The transition to a new CA must be finalized before the current Entrust-issued certificates expire. Priority should be given to certificates expiring after October 31, 2024, to ensure continuity in trust and access.
Implementation Guidance
- Identify certificates that are issued by Entrust.
Use the tokens
certificate:(browserDistrust:potential),certificate:(browserDistrustExpiryGroup:)certificate:(browserDistrustIssuedByEntrust:)
- Select a new publicly-trusted CA and initiate the process for obtaining new certificates.
- Update your systems with the new certificates well before the October 31, 2024, deadline to avoid service disruptions.
For guidance on selecting a new CA, refer to the Configure Certificate Authorities section of the Certificate View online help.
Dashboard Widget for Entrust Certificates
We have also introduced dashboard widgets for identifying certificates issued by Entrust and taking necessary action to update your systems with the new certificates issued by trusted authorities.
You can import the JSON file to use this dashboard. Click here to download the file.
To know more about how to import the dashboard, refer to the Qualys Unified Dashboard Online help.
Root and Intermediate Certificate Assessment
With this release, it is now possible to view Intermediate and Root CA certificates along with Leaf certificates in Certificates Tab detected through Scans (VM Scan, Certview Scan, Agent Scan, WAS, EASM). Earlier, it was limited to Leaf certificates only.
Benefits
You can get a complete assessment for Root and Intermediate, including a detailed assessment report, certificate strength, signature algorithm, and cipher suits, and you can monitor their expiration.
Filters for Certificates Type
For easier navigation, the left pane of the Certificatse tab now has filters. These filters display the count of certificates based on their types, such as Leaf, Intermediate, and Root .
New Tokens for Certificates Tab
Name | Description | Example |
---|---|---|
certificate:(type: ) | Use certificate type as Leaf, Intermediate, , or Root to search these types of certificates. | certificate:(type: |
certificate: (browser Distrust: ) |
Use this token to search a list of leaf certificates distrusted by Google Chrome. | certificate:(browserDistrust: |
certificate:(browserDistrust Issued ByEntrust:) |
Use the subject name as the token value to search a list of leaf certificates issued by the certificate authority (CA) Entrust, which Google Chrome no longer trusts. | certificate:(browserDistrustIssuedByEntrust: |
certificate:(browserDistrust ExpiryGroup: ) |
Use the time ranges to search for leaf certificates issued by the Certificate Authority (CA) Entrust, which Google Chrome no longer trusts and are expiring during the period. | certificate:(browserDistrustExpiryGroup: |
New Tokens for Assets Tab
Name | Description | Example |
---|---|---|
certificate:(type:) | Use certificate type as Intermediate, Leaf, or Root to search assets associated with these certificate types. | certificate:(type: |
certificate:(browser Distrust: ) |
Use this token to search a list of assets associated with leaf certificates distrusted by Google Chrome. | certificate:(browserDistrust: |
certificate:(browserDistrust Issued ByEntrust:) |
Use the subject name as the token value to search a list of assets associated with leaf certificates issued by the certificate authority (CA) Entrust, which Google Chrome no longer trusts. | certificate:(browserDistrustIssuedByEntrust: |
certificate:(browserDistrust ExpiryGroup: ) |
Use the time ranges to search for assets associated with leaf certificates issued by the certificate authority (CA) Entrust, which Google Chrome no longer trusts and are expiring during the period. | certificate:(browserDistrust |
Create a Report Using New Tokens
With this release, you can use the newly introduced tokens in the query to create various reports.
For example,
- Use
certificate:(type:)
token to get details of certificates based on their types, such as intermediate, leaf, or root. - Use
certificate:(browserDistrust: )
,certificate:(browserDistrustIssuedByEntrust:)
,certificate:(browserDistrustExpiryGroup: )
tokens to identify certificates that are issued by Entrust and take necessary action to update your systems with the new certificates by trusted authorities.
API Features and Enhancements
- With this release, you can now view certificates and instance details of assets detected by the Web App Scanning (WAS) app using the following Certificate View APIs.
- List CertView Certificates (v1)
- List CertView Certificates (v2)
- List Assets for a Certificate
- List Server Instances
For detailed information on APIs, refer to the Certificate View API Release Notes.
Issue Addressed
We resolved an issue where the user could not see internal sites in the Internal Sites tab by making relevant code changes.