In about a month, a large number of existing Symantec SSL certificates will be distrusted by Google Chrome as part of their removal of Symantec root certificates. Starting in Chrome 66 beta and followed up in April when Chrome 66 stable is released, certificates issued by Symantec, GeoTrust, Thawte, and RapidSSL prior to June 1, 2016, need to be replaced with a DigiCert certificate. Although many customers have already transitioned, there are still a significant number of customers that should replace their certificates. We want to share an update on how this process is working and the preparations we have made for our customers.
The distrust of a CA is a major event in the Web PKI industry. In this case, Google and Mozilla felt it necessary to distrust existing certificates before their natural expiration date in order to protect internet security. This requires action from affected websites as their deployed certificates will stop working with new browser releases.
The migration away from Symantec roots has been a significant undertaking because of the short timeframe and volume of certificates. However, we have worked around-the-clock to provide and improve on the migration services. Since the migration started on December 1st, we’ve issued several million certificates, and customers have begun replacing their Symantec certificates affected by the browser distrust timelines. Additionally, three out of four enterprises and the majority of SMBs have completed pre-validation.
We’ve prepared to make sure all customers are fully informed of the certificates requiring action this spring and the steps they need to take to make the necessary changes before upcoming browser updates affect their websites. This is our top focus right now.
Simplifying Replacement
All certificates are issued using DigiCert’s trusted roots and back-end architecture. Impacted customers may order replacement certificates, for free, via their Symantec front-end portals. There is no need to learn new systems, work with new account representatives, and worry about negotiating new contracts. Customers can replace certificates similarly to how they would handle a typical renewal.
We know this is especially important to our enterprise users who have integrated with APIs or other Symantec tools and have large volumes of certificates deployed across their websites.
To facilitate the migration, DigiCert released a tool that customers can use to determine whether certificate replacement is required.
Browser distrust of Symantec-issued certificates will occur in two stages. For now, we’re focused on making sure our customers are prepared for the first stage, which will occur on March 15th.. By September/October, all remaining certificates issued on Symantec roots will need to be transitioned to trusted DigiCert roots.
We’ve reached out to every customer whose certificate(s) are affected, and we’ll continue to communicate as the deadline approaches.
Note that if you were a DigiCert customer using DigiCert certificates, these changes have no effect on you. This only affects our new customers who had been using Symantec SSL certificates.
Preparing for Browser Distrust
On March 15, 2018, the beta of Chrome version 66 will be released and these legacy Symantec certificates will no longer be trusted (again, this only affects Symantec certificates issued before June 1, 2016). Chrome Beta is only used by a fraction of Chrome’s overall user base, but we still consider it significant enough that we are striving to replace affected certificates before that date. The “Stable” release—the main version used by consumers—follows a month later.
Firefox will distrust the same set of certificates later in the year. You are not required to take action for each specific browser—replacing your certificate once is all that’s needed.
These certificates must be reissued and replaced before the March 15 deadline in order to avoid untrusted certificate errors on Chrome beta, which will interrupt website service and obstruct visitors to your site.
The process for replacing affected certificates will be extremely similar to how you renewed or ordered certificates in the past. You’ll need to submit an order/certificate request, complete validation (some customers may require more thorough validation to meet DigiCert’s requirements), and replace and install the new certificate on your server(s).
To prepare for this volume of reissuance, we’ve expanded our Support and Validation departments, and expedited training over the last couple months.
We understand this upcoming deadline can seem overwhelming—but rest assured that DigiCert’s team is here to help. If you are a Symantec SSL customer looking for more guidance, please see this page.