Best Practices 04-17-2018

Getting Ahead of Chrome 70 Distrust of Symantec-Issued Certificates


Today marks the planned release of Google Chrome 66 stable version and the culmination of the first major distrust event for Symantec root certificates in the world’s most used web browser. With the Chrome 66 stable release, Symantec, Thawte, GeoTrust, and RapidSSL certificates issued before June 1, 2016, and still in use will be greeted with warning messages in the browser. The stable release is the consumer version and the one most used.

DigiCert has offered free replacements for holders of affected certificates, which extends trust on DigiCert roots through the end of the original validity period. We have been working hard to make sure customers are informed and have the tools necessary to keep trust in their certificate deployments. As of today, the large majority of affected customers have taken corrective action and will enjoy continued trust in their HTTPS operations without interruption.

In the past few months, we have gained important insights and made system improvements that will simplify the process for customers needing to replace Symantec-issued certificates to be impacted by Chrome 70 distrust. We advise customers with remaining certificates issued on Symantec roots to begin planning their free replacements now—well ahead of announced Chrome 70 distrust dates. To further help organizations with large certificate volumes, we’ve enabled a bulk ordering tool that allows them to view all affected certificates and request replacements one time, rather than one at a time. These customers may request replacements via their existing certificate ordering portal, and they only need to make a couple clicks, similar to how they would renew a certificate.

Google has announced the timelines for future Symantec root distrust in Chrome:Mozilla has also announced plans to distrust Symantec root certificates with the release of Firefox 63 in October 2018.

Since taking over validation and issuance for Symantec, Thawte, GeoTrust, and RapidSSL brands on December 1, 2017, DigiCert has worked extensively to educate customers with affected certificates and to work with our partners to help their customers. DigiCert offers the simplest path for affected certificate holders to maintain trust in their SSL/TLS deployments. DigiCert’s root certificates are fully trusted in all major browsers, and certificates replaced to meet Chrome timelines also remain trusted for future Firefox versions.

Browser distrust of Symantec-issued certificates and DigiCert’s free replacement program are significant events, unlike anything the CA industry has seen before. Our technical teams have spent many long hours working to replace Symantec validation and issuing back-end systems with our own and to tie in to Symantec Website Security brand front-end systems for ease of issuance. We have hired more than 200 additional validation staff and trained them on our CAB-Forum-compliant processes. Additional efforts to support customers include:

  • Sending a series of nearly 700,000 emails to customers reminding them of deadlines, necessary action items, and information
  • Establishing an outbound call center and calling all affected customers
  • Displaying reminder messages in multiple languages in the portals customers use to order and manage certificates
  • Hosting multiple webinars
  • Posting documentation in multiple languages for replacing Symantec-issued certificates
  • Providing dedicated support to partners and multiple enhancements to partner systems to help them work with customers

Customer education and support efforts continue to help organizations get ahead of the Chrome 70 and Mozilla Firefox 63 timelines.

We thank our customers for their patience and loyalty in sticking with us in what has been a unique time. We are confident in our ability to provide the easiest path for Symantec customers with remaining certificates affected by Chrome 70 and Mozilla 63 distrust, and we pledge our continued commitment to improving the customer experience.

As we continue to focus on helping customers transition beyond Symantec root distrust, we are excited about the innovations planned for the remainder of 2018. We have many meaningful improvements planned for the SSL/TLS, PKI and IoT security markets and look forward to revealing additional details in coming months.


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories


Pioneering the next wave of secure digital solutions 

6 reasons signed SBOMs are essential to software security


How—and why—to automate certificate management