Google and Mozilla have lost faith in Symantec certificates, due to multiple incidents related to their issuing over the past years. Symantec’s SSL division will be taken over by DigiCert, which allows for Symantec certificates to stay trusted in Google Chrome and Mozilla Firefox. Symantec, GeoTrust and Thawte certificates can be reissued free of charge from December 1, 2017 so that they will continue to be trusted in these browsers.
Impact on certificates in Google Chrome
Google published its final timeline for terminating support for Symantec certificates in its popular Chrome browser. Chrome is the most used browser internationally. Next to Mozilla Firefox, alternative browsers are expected to make such changes as well. Symantec, GeoTrust and Thawte certificates issued using the former VeriSign root won’t be trusted in Google Chrome, depending on the issue date of the certificate. As such, Comodo and GlobalSign certificates won’t be affected.
In order for certificates issued by Symantec, GeoTrust and Thawte to be trusted in major browsers, they need to be reissued free of charge:
- Certificates issued before June 1, 2016, will stop being trusted as of Chrome version 66, due to be released on March 15, 2018. These certificates will need to be reissued between December 1, 2017 and March 15, 2018
- Certificates issued between June 1, 2016 and December 1, 2017, will stop being trusted as of Chrome version 70, due to be released on September 13, 2018. These certificates will need to be reissued between December 1, 2017 and September 13, 2018
DigiCert issues Symantec certificates from December 1, 2017. Symantec certificates issued by DigiCert will be fully trusted by upcoming Chrome releases.
Impact on certificates in Mozilla Firefox
As Firefox will stop supporting Symantec certificates at a later date, we will follow Chrome’s timeline for the reissuance dates. The timeline announced by Firefox is as follows:
- As of January 2018 (Firefox version 58), a warning will be shown in the Developer section for Symantec certificates issued before June 1, 2016.
- As of May 2018 (Firefox version 60), a not trusted warning will be shown for Symantec certificates issued before June 1, 2016.
- As of October 2018 (Firefox version 63), all Symantec certificates issued from the former PKI infrastructure (before December 1, 2017) won’t be trusted.
In addition to the browsers, SSLLabs has announced that it will adjust the grading in its SSL Server Test from 1 March 2018 to a T-score, if a website uses a Symantec SSL certificate issued before 1 June 2016.
From December 1, 2017, certificates can be reissued using the following steps.
|Certificates issued before June 1, 2016||Reissue before March 15, 2018|
|Certificates issued after June 1, 2016||Reiussue before September 13, 2018|
- From early December, certificates due to be reissued will be shown in the Xolphin Control Panel along with the final reissuing date. Furthermore, information regarding certificates that should be reissued will be sent via email.
- Choose ‘Reissue’ in the Xolphin Control Panel for every certificate due to be reissued. We recommend generating a new CSR. Alternatively, the previous CSR can be re-used. It can be found in the Control Panel as well.
After a reissue, the old certificate will not be revoked.
With this procedure you'll receive the same certificate type and brand with the same start- and end date, but signed by the new DigiCert rootcertificate. As an alternative you can switch to another brand. You may switch you certificates to similar Comodo or GlobalSign certificates at no cost of for a reduced price. If you prefer this, please contact us.
Note: We notify you in the Control Panel about all certificates issued before December 1, 2017. This may include certificates that expire before the mentioned reissue date. In this case instead of a reissue a regular renewal is sufficient, which is possible from 90 days before the expiration date. Some development environments will start warning sooner - this will not harm most website visitors, but if you want to prevent this you can opt for a free reissue. Certificates that expire before the exchange date, are clearly marked in the Control Panel.
Influence of limitation validity period to 2 years
From March 1 2018, the maximum allowed term for all brands and types of SSL certificates is 825 days (approximately 27 months). If after this date you re-issue a Symantec, Thawte or GeoTrust certificate that is valid for longer than these 825 days at the time of reissue, the remaining term is limited to 825 days. If you do the reissue before 1 March 2018, you will receive a certificate with the original term.
Some certificates require a new round of validation - as such, make sure to request the reissue in time. Worldwide, millions of certificates will need to be reissued, so take into account a slightly longer delivery time.
- Domain validation certificates require validation via email.
- Organisation and extended validation certificates require a new round of validation of business data, in case the last validation was completed over 27 months ago.
As soon as the certificate has been reissued, you will receive an email with the new certificates. Aside from the SSL certificate itself, you’ll need to replace the root certificate as well. These can be found in the Download section of the Xolphin Control Panel. Newly issued SSL certificates will be cross-signed by the previous Symantec root to ensure maximum browser compatibility.
Problems between Google and Symantec
In the first quarter of 2017, it became known that Symantec certificates were issued wrongly. After research had been conducted, it became known that Symantec did not monitor its partners, issuing their certificates, sufficiently. These partners issued Symantec certificates in a manner that did not meet the requirements. According to Google, Symantec did not detect shortcomings in a timely manner, and did not respond to reports adequately. Furthermore, Google mentions that Symantec did not make these problems known themselves after finding out.
Google announced they will be terminating support for Symantec, GeoTrust and Thawte certificates in Google Chrome. In August 2017, US-based certificate authority DigiCert announced they will be taking over the entire Symantec PKI division. By implementing DigiCert’s infrastructure, Google’s requirements for safer certificate management are met. As such, Symantec will not need to replace their outdated PKI infrastructure.
- Manuals for CSR generation and certificate installation
- Reissue procedure
- Validation procedures
- DigiCert & Symantec FAQ
- Delayed delivery of Symantec, GeoTrust and Thawte SSL Certificates
- Google Chrome timeline for Symantec SSL discontinuation
- Google discontinues supporting Symantec certificates, Symantec sells SSL division to DigiCert
- Google and Symantec approaching a resolution
- Google announces measures against Symantec