DigiCert has been regularly updating customers on Symantec root distrust for the past several years. The most recent guidance from Apple is that as of September 2, 2021, Apple is distrusting 9 legacy Symantec root certificates. Root distrust means all certificates issued from these roots and all objects signed from those certificates are no longer trusted on macOS and iOS after this date.
This change impacts all certificate types issued from these root certificates—TLS, code signing, document signing, S/MIME, and client—and any objects signed with certificates (active or expired) chained to any of these 9 distrusted root certificates listed below under What are the 9 impacted root certificates.
If your implementation requires Apple trust, you must reissue certificates using the DigiCert hierarchy and resign objects (code, document, email, etc.).
What are the 9 impacted root certificates?
Impacted customers have received direct communications on these changes. If you have additional questions, please contact your account manager or our support team.
Original Post 06/07/2018
This week, Apple announced they will be distrusting SSL/TLS certificates issued from Symantec’s legacy root certificates, which includes the Thawte, GeoTrust, and RapidSSL brands. We have given guidance on replacing these certificates for compatibility with Google Chrome and Mozilla Firefox. This new announcement from Apple imposes later deadlines, and does not require any additional action if you have already followed our previous guidance.
If you have yet to replace your legacy Symantec certificates, you will need to do so as soon as possible to ensure on-going compatibility with web browsers. DigiCert has acquired Symantec’s SSL business and is offering free replacements to all affected customers.
Apple’s newly announced distrust will occur in two stages. For simplicity, neither stage requires you to make any changes to the existing migration plan needed for compatibility with Chrome and other browsers. If you have already replaced your certificates, you do not need to replace them again. Once you have installed SSL certificates that are issued from DigiCert roots, you will be compliant with all browsers.
For users that still have certificates issued from legacy Symantec roots: replace your certificates as soon as possible.
If you have a certificate issued from Symantec’s roots (or any of its other brands: Thawte, GeoTrust, or RapidSSL), it will soon be distrusted in major browsers.
To avoid this, you need to get a free certificate replacement from DigiCert, which you can do now through your existing Symantec account (or Thawte, GeoTrust, or RapidSSL account). We are advising any users with these Symantec certificates to replace them as soon as possible—getting the process started today if possible—to avoid broken connections and accessibility issues with your website.
The next planned distrust in any browser will occur around July 20th when the “Canary” version of Chrome 70 releases. We are advising customers to replace their certificates before that date if possible. The consumer release version of Chrome 70 (known as “Stable”) will release in October.
It is only necessary to replace your certificate once to comply with the requirements of all browsers. When you receive your free replacement from DigiCert, it will be issued from our root certificates, which are widely trusted by end-user devices. If you have already replaced your certificate to comply with Google Chrome’s requirements, you are already compliant with the requirements from Apple and Firefox. No further action is needed.
Note that this distrust applies to the root certificates owned by Symantec. If you have replaced those certificates and have Symantec-brand certificates issued from DigiCert roots, they are not affected.