Google discontinues supporting Symantec certificates, Symantec sells SSL division to DigiCert

3 August 2017

Late March 2017 Google announced their plan to take measures against Symantec, which would lead to a lot of issues for the support of Symantec certificates in Google Chrome. Following this announcement, both parties created various proposals on how to solve the situation. Google just announced their final proposal regarding the support of Symantec certificates in Google Chrome. In reaction to the recent discussions and disputes between both parties, Symantec has announced that it will sell its entire SSL certificate division to DigiCert

What is Google's final proposal?

As announced in one of their Chromium Blog posts, Google sticks with their earlier announced plan to gradually reduce the support of SSL certificates from Symantec, Thawte and Geotrust. Starting April 2018 (revised from August 2017):

  • Starting with Chrome version 66 (April 2018) all Symantec certificates issued before the 1st of June 2016 will not be trusted anymore.
  • Starting with Chrome version 70 (planned for September 2018) all Symantec certificates issued under the current PKI infrastructure won't be trusted anymore.

DigiCert acquires SSL certificate division from Symantec

On August 2nd it was announced that the American Certificate Authority DigiCert will acquire the entire SSL division from Symantec. DigiCert is a relatively young CA with a modern PKI infrastructure. The company is a lot smaller compared to Symantec with a market share of 2.2% (compared to 14%). By using this new PKI infrastructure the demands made by Google are met, without the need for Symantec to replace their current outdated PKI infrastructure. It is not clear yet, if DigiCert will continue to use the Symantec brand for their SSL certificates. Both parties state that they see this collaboration as a long term plan, proven by the fact that Symantec has a stake in the common stock equity of the DigiCert business and that DigiCert will continue to employ Symantec employees and take over part of the offices from Symantec. According to the latest plan, the entire transition should be finished in the 4th quarter of 2018. Both parties agreed to primarly focus on a smooth transition for Symantec customers.

What does this mean for current Symantec customers?

Google has yet to release a statement regarding the acquisition plans of DigiCert. Symantec and DigiCert did not release detailed information on how they will fulfil the transition to DigiCert. They did announce though that DigiCert will function as a replacement managed CA as per December 2017. This will ensure that current Symantec customers will be able to reissue their certificates. Additional managed CA's will possibly be needed as replacement CA. For Symantec customers this potentially means:

  • Symantec certificates issued prior to June 1st, 2016 must be replaced til latest April 2018. This can be done by reissuing the certificate through the replacement CA or by replacing your certificate by a different certificate brand (e.g. Comodo).
  • Prior to September 2018 all Symantec certificates must be reissued through a newer, modernized PKI infrastructure, for example by DigiCert or any other brand. This means that each Symantec certificate that has been issued recently, or still will be issued through the outdated PKI infrastructure in the near future, must be replaced if still valid in September 2018.

Mozilla conforms itself to the proposal

Mozilla announced that they target the same change implementation dates for Firefox as Google does for Chrome, but actually prefers to have earlier dates. Precise dates from Mozilla still have to be defined and will be communicated as soon as available. Mozilla mentions that having a mutual approach together with the other web browsers is more important to them than having an earlier deadline.

I have Symantec certificates, what can I do?

If you have Symantec certificates that have been issued before June 1st, 2016 we will inform you well in advance of the April 2018 deadline with informations regarding the reissuance options and (free) replacement offers. It currently is expected that reissuance of Symantec certificates will be possible from December 2017. As an alternative you can also replace your Symantec certificate by a different certificate brand. With immediate effect you can change your Symantec certificate to a comparable Comodo certificate at no additional charge. Interested in switching brands? Do not hesitate to contact us!

SSLCheck

Our SSLCheck will examine your website's root and intermediate certificates for correctness and report any potential issues