Transitioning Symantec Certificates
To A New Root Hierarchy
We are pleased to announce that the DigiCert acquisition of Symantec’s Website Security business and related PKI solutions has closed. Following industry agreements with Google and Mozilla, Symantec committed to retiring its existing root infrastructure and transitioning to DigiCert’s infrastructure. DigiCert remains committed to this plan.
The transition and planned infrastructure deprecation raises two main concerns. The first concern is about December 1st, when DigiCert will begin issuing all certificates for Symantec users. The second concern is about the new roots that Symantec certificates will use, and how it will affect certificate trust and user experience.
For most customers, we believe the transition and retirement from Symantec roots will have very little impact. This post addresses both of these concerns in depth, and acts as an introduction to the transition for those who have Symantec certificates deployed on their networks.
Note: All the information in this post only applies to SSL/TLS certificates. This is not relevant to S/MIME (email) or Code Signing certificates.
What happens on December 1, 2017?
December 1, 2017 signals the beginning of the migration away from Symantec’s root infrastructure.
On that day, all new Symantec-branded certificates you receive (including GeoTrust, Thawte, and RapidSSL) will be issued from DigiCert root certificates. These will be fully compliant with Google and Mozilla’s requirements for trust.
Note: There are no certificates that will stop working on December 1st.
Changes to certificate trust will not occur until March 2018, when the first of two stages of distrust begin.
In Chrome 66 (estimated release to beta March 2018), SSL certificates issued prior to June 1, 2016 by the old Symantec infrastructure will be un-trusted. When Chrome 70 is released (estimated release to beta September 2018), that will expand to all certificates issued by the old Symantec infrastructure.
Note that Mozilla will enforce the same requirements in Firefox 60 and 63, respectively. These are estimated to be released in the same months as Chrome.
For website and server operators, March 1, 2018, is a good deadline for replacing your affected certificates.
In many cases, you can follow your normal replacement schedule. If your certificates naturally expire before the above dates, you do not need to rush to replace your certificates.
What if you can’t replace your certificates by December 1, 2017? Do not worry—you don’t need to. Do not think of December 1, 2017 as a deadline. It is the beginning of your migration period—not the end.
Symantec was well known for having some of the best root ubiquity (how widely root certificates are distributed and trusted) of any Certificate Authority. This has raised some concerns about the migration to DigiCert roots, which will be used to issue all Symantec certificates starting December 1st.
DigiCert operates many root certificates and we have chosen our most widely trusted root as the replacement for Symantec’s roots. By default, we will be issuing your certificate from our DigiCert Global Root CA certificate.
This root was created in 2006 and matches the capabilities of the roots being used by Symantec.
The DigiCert Global Root CA’s ubiquity is as good—and in some cases better—as the VeriSign G5 root used by Symantec. If your Symantec certificate was trusted by devices using public certificate stores, such as Windows, Mac, Android, iOS, Chrome, Firefox, or Java, then your new certificates will also be trusted. You do not need to worry about unexpected errors or changes in trust in these scenarios.
It will be important to install the DigiCert intermediate certificates along with the new end-entity (server) certificates. These will be provided with your new certificates and are needed to ensure proper certificate validation with client devices.
There are some cases where the DigiCert Global Root CA will not act as a perfect replacement for the Symantec/VeriSign root. This includes anyone who has pinned (HPKP) their Symantec-issued certificate (any certificate in the chain), or require compatibility with devices using custom root stores. In these cases, we are asking that you contact your Account Manager. We have prepared other roots, including options cross-signed by Symantec’s old roots, for these scenarios.