Best Practices 09-12-2018

Majority of Companies Prepared for Upcoming Chrome 70 Distrust of Symantec-Issued TLS Certificates

Jeremy Rowley

DigiCert ready to help those yet to act with quick, free replacement process

The stable release of Google Chrome 70 is a little over a month away, marking the browser’s final distrust date of Symantec TLS roots. Most leading websites have already made the transition to DigiCert trusted roots, with only about 1-2 percent of base domains among the Alexa 1 million remaining impacted as of today, according to internal research.

We advise those yet to get a free replacement TLS certificate from DigiCert to do so ahead of this week’s Chrome 70 beta release, if at all possible, and certainly prior to the Chrome 70 stable release, which is scheduled to go live on or around October 16. After that time, any TLS certificates issued prior to Dec. 1, 2017 on Symantec roots will be distrusted in Chrome and lead to interrupted browsing for users.

DigiCert continues to help customers make the transition with free replacements of Symantec-issued TLS certificates to extend trust through the end of the licensing period for their original purchase. As a company, we also have been undertaking unprecedented outreach, with millions of emails and calls, to educate customers about potential impacts and solutions for their businesses. Organizations have the tools they need to enable continuity in their trusted communications not only in Chrome but across all popular browsers. All this work makes it possible, as distrust occurs, that we can minimize the impacts on end-users. This is a better scenario than some had predicted months ago.

Symantec, Thawte, GeoTrust and RapidSSL TLS certificate holders impacted by distrust are ready to focus on the future, looking forward to the continual improvements we at DigiCert are making in our own processes and throughout the industry. As the leading CA, DigiCert is prepared to escalate trust throughout the ecosystem and ensure all relying parties have a safe browsing experience.

Investing in Tools and Resources to help Customers

Since completing our acquisition of Symantec Website Security and related PKI solutions on Oct. 31, 2017, DigiCert has invested the time and resources necessary to help minimize the impacts of Symantec distrust on our customers and partners. This first required replacing all Symantec backend systems with our own architecture and re-validating all customers. By completing this major effort, we have been able to manage the large volume of replacement certificates without notable delays for customers after the initial flurry that continued from Dec. 1, 2017 through early February 2018.

In addition to the widespread customer outreach, we’ve replaced Symantec issuing systems, hired and trained many validation and support personnel, and we’ve built a bulk ordering tool. This tool presents all affected certificates in a single view and allows pre-validated customers to order and issue their replacement certificates at one time. It makes certificate replacement a matter of a couple clicks, similar to how customers would renew a certificate.

Moving Forward to Strengthen Web PKI Trust

Symantec, Thawte, Geotrust and RapidSSL customers have been re-validated within the last 9 months, constituting a major effort by our validation teams. During this process, we’ve discovered legacy domain validation methods that some CAs used that had potential issues. We’ve worked with the CAB Forum to propose and pass a ballot that improved these practices. We continue to work with the CAB Forum and other bodies to improve CA operations and strengthen standards.

For affected customers that have replaced their Symantec-issued certificates with us to comply with the Chrome 70 timelines, they can move forward with confidence in their TLS deployments. Replaced certificates also comply with the upcoming TLS Symantec distrust actions of Mozilla Firefox 63 and coming versions of the Microsoft Edge and Apple Safari browsers.

We thank our partners and customers for their loyalty, as we have focused our efforts on helping them with this unprecedented distrust event. Truly, no CA or its customers have ever managed an acquisition and root transfer of this magnitude with such urgent timelines. With the end of this replacement process in sight, we look forward to the road ahead, which is full of tremendous opportunities to advance trustworthy communications not only in the web PKI but for a number of emerging markets and technologies.

We also appreciate the browser and security communities in working with us to make this leap forward in a way that supports the various use cases of those affected.

We pledge to our partners and customers our continued focus on their needs. We also renew our commitment to transparency and good corporate citizenship within the security community. At DigiCert, the core of who we are remains most important to us: taking care of people, doing what’s right for security and building solutions that improve security operations for our customers and make everyone safer.

We look forward to moving ahead with optimism and determination about the future. Look for more announcements to come.


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories


What Is A CA’s Role In Delivering Digital Trust?


The Entrust distrust: Key takeaways for CAs and organizations


How to Secure Quantum Computing in the Cloud