Updated 08-30-2021

DigiCert has been regularly updating customers on Symantec root distrust for the past several years. The most recent guidance from Apple is that as of September 2, 2021, Apple is distrusting 9 legacy Symantec root certificates. Root distrust means all certificates issued from these roots and all objects signed from those certificates are no longer trusted on macOS and iOS after this date.

This change impacts all certificate types issued from these root certificates—TLS, code signing, document signing, S/MIME, and client—and any objects signed with certificates (active or expired) chained to any of these 9 distrusted root certificates listed below under What are the 9 impacted root certificates.

If your implementation requires Apple trust, you must reissue certificates using the DigiCert hierarchy and resign objects (code, document, email, etc.).

• Active TLS certificates chaining to these root certificates should have already been reissued from DigiCert trusted roots and should not be an issue at this point. If you have any active TLS certificates that were issued from these roots, you must reissue the certificates using DigiCert roots and install the new TLS certificates.
• Active code signing, document signing, client, and S/MIME certificates chaining to these roots need to be reissued using DigiCert roots, and any objects signed with these certificates will need to be resigned.
• Expired code signing, document signing, client, and S/MIME certificates: Distrusting and blocking root certificates means that signed objects such as code (including timestamped code), documents, and emails are no longer trusted. All objects signed with a certificate issued from these roots may no longer function as expected.

What are the 9 impacted root certificates?

• GeoTrust Primary Certification Authority
  https://crt.sh/?id=4350
• GeoTrust Primary Certification Authority - G3
  https://crt.sh/?id=847444
• thawte Primary Root CA
  https://crt.sh/?id=30
• thawte Primary Root CA - G3
  https://crt.sh/?id=254193
• VeriSign Class 3 Public Primary Certification Authority - G3
  https://crt.sh/?id=26682
• VeriSign Class 3 Public Primary Certification Authority - G4
  https://crt.sh/?id=2771491
• VeriSign Class 3 Public Primary Certification Authority - G5
  https://crt.sh/?id=93
• GeoTrust Global CA
  https://crt.sh/?id=17
• GeoTrust Primary Certification Authority - G2
  https://crt.sh/?id=3381895

Impacted customers have received direct communications on these changes. If you have additional questions, please contact your account manager or our support team.

Original Post 06/07/2018

This week, Apple announced they will be distrusting SSL/TLS certificates issued from Symantec’s legacy root certificates, which includes the Thawte, GeoTrust, and RapidSSL brands. We have  given guidance on replacing these certificates for compatibility with Google Chrome and Mozilla Firefox. This new announcement from Apple imposes later deadlines, and does not require any additional action if you have already followed our previous guidance.

If you have yet to replace your legacy Symantec certificates, you will need to do so as soon as possible to ensure on-going compatibility with web browsers. DigiCert has acquired Symantec’s SSL business and is offering free replacements to all affected customers.

Apple’s newly announced distrust will occur in two stages. For simplicity, neither stage requires you to make any changes to the existing migration plan needed for compatibility with Chrome and other browsers. If you have already replaced your certificates, you do not need to replace them again. Once you have installed SSL certificates that are issued from DigiCert roots, you will be compliant with all browsers.

For users that still have certificates issued from legacy Symantec roots: replace your certificates as soon as possible.

Distrust Guidance: Replace Now

If you have a certificate issued from Symantec’s roots (or any of its other brands: Thawte, GeoTrust, or RapidSSL), it will soon be distrusted in major browsers.

To avoid this, you need to get a free certificate replacement from DigiCert, which you can do now through your existing Symantec account (or Thawte, GeoTrust, or RapidSSL account). We are advising any users with these Symantec certificates to replace them as soon as possible—getting the process started today if possible—to avoid broken connections and accessibility issues with your website.

The next planned distrust in any browser will occur around July 20^th when the “Canary” version of Chrome 70 releases. We are advising customers to replace their certificates before that date if possible. The consumer release version of Chrome 70 (known as “Stable”) will release in October.

It is only necessary to replace your certificate once to comply with the requirements of all browsers. When you receive your free replacement from DigiCert, it will be issued from our root certificates, which are widely trusted by end-user devices. If you have already replaced your certificate to comply with Google Chrome’s requirements, you are already compliant with the requirements from Apple and Firefox. No further action is needed.

Note that this distrust applies to the root certificates owned by Symantec. If you have replaced those certificates and have Symantec-brand certificates issued from DigiCert roots, they are not affected.