Release 3.7

July 29, 2024

What's New?

Update on Digital Certificate Trust

Google has announced a policy update regarding digital security certificates. Due to repeated compliance failures, certificates issued by the Certificate Authority (CA) Entrust will no longer be trusted. This policy is implemented to maintain the integrity and security of websites accessed through Google's services.

Action Required for Website Operators: Transition to a New Certificate Authority

Affected website operators are advised to switch to a new publicly trusted certificate authority as soon as possible. This change is crucial for maintaining website trustworthiness and security for users accessing sites through Google.

Deadline for Completion

The transition to a new CA must be finalized before the current Entrust-issued certificates expire. Priority should be given to certificates expiring after October 31, 2024, to ensure continuity in trust and access.

Implementation Guidance

  1. Identify certificates that are issued by Entrust.

    Use the tokens certificate:(browserDistrust:potential),certificate:(browserDistrustExpiryGroup:)certificate:(browserDistrustIssuedByEntrust:)

  2. Select a new publicly-trusted CA and initiate the process for obtaining new certificates.
  3. Update your systems with the new certificates well before the October 31, 2024, deadline to avoid service disruptions.

For guidance on selecting a new CA, refer to the Configure Certificate Authorities section of the Certificate View online help.

Dashboard Widget for Entrust Certificates

We have also introduced dashboard widgets for identifying certificates issued by Entrust and taking necessary action to update your systems with the new certificates issued by trusted authorities.

You can import the JSON file to use this dashboard. Click here to download the file.

To know more about how to import the dashboard, refer to the Qualys Unified Dashboard Online help. 

Root and Intermediate Certificate Assessment

With this release, it is now possible to view Intermediate and Root CA certificates along with Leaf certificates in Certificates Tab detected through Scans (VM Scan, Certview Scan, Agent Scan, WAS, EASM). Earlier, it was limited to Leaf certificates only.

Benefits

You can get a complete assessment for Root and Intermediate, including a detailed assessment report, certificate strength, signature algorithm, and cipher suits, and you can monitor their expiration.

Filters for Certificates Type

For easier navigation, the left pane of the Certificatse tab now has filters. These filters display the count of certificates based on their types, such as  LeafIntermediate, and Root .

Leaf filter

New Tokens for Certificates Tab

Name Description Example
certificate:(type: ) Use certificate type as Leaf, Intermediate, , or Root to search these types of certificates. certificate:(type:leaf)
certificate:
(browser
Distrust: )
Use this token to search a list of leaf certificates distrusted by Google Chrome. certificate:(browserDistrust:potential)
certificate:(browserDistrust
Issued
ByEntrust:)
Use the subject name as the token value to search a list of leaf certificates issued by the certificate authority (CA) Entrust, which Google Chrome no longer trusts. certificate:(browserDistrustIssuedByEntrust: Entrust Root Certification Authority)
certificate:(browserDistrust
ExpiryGroup: )
Use the time ranges to search for leaf certificates issued by the Certificate Authority (CA) Entrust, which Google Chrome no longer trusts and are expiring during the period. certificate:(browserDistrustExpiryGroup: 0-30 Days)

New Tokens for Assets Tab

Name Description Example
certificate:(type:) Use certificate type as Intermediate, Leaf, or Root to search assets associated with these certificate types. certificate:(type:
Intermediate)
certificate:(browser
Distrust: )
Use this token to search a list of assets associated with leaf certificates distrusted by Google Chrome. certificate:(browserDistrust:
potential)
certificate:(browserDistrust
Issued
ByEntrust:)
Use the subject name as the token value to search a list of assets associated with leaf certificates issued by the certificate authority (CA) Entrust, which Google Chrome no longer trusts. certificate:(browserDistrustIssuedByEntrust: Entrust Root
Certification
Authority
)
certificate:(browserDistrust
ExpiryGroup: )
Use the time ranges to search for assets associated with leaf certificates issued by the certificate authority (CA) Entrust, which Google Chrome no longer trusts and are expiring during the period. certificate:(browserDistrust
ExpiryGroup:
61-90 Days)

Create a Report Using New Tokens

With this release, you can use the newly introduced tokens in the query to create various reports.

For example, 

  • Use certificate:(type:) token to get details of certificates based on their types, such as intermediate, leaf, or root. 
  • Use certificate:(browserDistrust: ), certificate:(browserDistrustIssuedByEntrust:)certificate:(browserDistrustExpiryGroup: ) tokens to identify certificates that are issued by Entrust and take necessary action to update your systems with the new certificates by trusted authorities.

API Features and Enhancements

  • With this release, you can now view certificates and instance details of assets detected by the Web App Scanning (WAS) app using the following Certificate View APIs.
    • List CertView Certificates (v1)
    • List CertView Certificates (v2) 
    • List Assets for a Certificate
    • List Server Instances 

For detailed information on APIs, refer to the Certificate View API Release Notes.

Issue Addressed

We resolved an issue where the user could not see internal sites in the Internal Sites tab by making relevant code changes.