Have questions about the Frost &
Sullivan white paper? Read More
Use the responses to the following frequently asked questions to help customers understand why remaining with Website Security is in their best interest. If a customer asks you a question that is not addressed here, please submit it to firstname.lastname@example.org. We will continue to update this page as new questions come in.
Why don’t the roots say Symantec or Verisign?
The existing Symantec and VeriSign roots are being distrusted by browsers next year. New roots were impossible to create with the Symantec/Verisign branding because of the short timeframe to distrust. Gaining roots embedded in browsers with sufficient ubiquity to issue trusted certificates takes a long time, generally about three years. There was no time to embed and have new branded roots trusted. Since we closed the acquisition, our executive team has evaluated our combined assets, and has found that the DigiCert Global Root CA offers one of the best ubiquities in the industry. To ensure a smooth experience, continued full trust in major root stores, and plan for the deprecation of the Symantec roots, we elected to use existing DigiCert roots for the transition plan.
Can I use a cross-signed root?
Cross-signed roots can be used on an as-needed basis. However, due to the complexities of certificate chain building, certificates coming from a cross-signed root may cause errors when Chrome removes the Symantec/VeriSign roots in 2018. Anyone using a cross-signed root is at high risk of having the certificate fail to chain properly, resulting in the cert being treated as untrusted. If you have a specific need for a cross-signed root, please contact your account manager.
What if I need the Symantec or VeriSign roots for ubiquity or pinning reasons?
You do not need to be concerned about root ubiquity. The DigiCert Global Root CA offers matching ubiquity in all major platforms (Windows, Mac, iOS, Android, Java). Your certificate will continue to be trusted on the same devices if they are using their standard platform root stores.
However, if you are using a custom root store which does not contain a DigiCert root, or have pinned your Symantec certificates, you will need a different solution. In cases where you need to maintain compatibility with the primary root certificate used by Symantec – which is the VeriSign G5 root – we have multiple cross-signed solutions for you. However, due to the technical complexities of chain building, we are only recommending these solutions for customers where compatibility with Symantec/VeriSign roots is required.
Why didn't I know about this sooner?
Due to legal restrictions, the DigiCert and Symantec teams were required to operate as separate companies prior to closing the acquisition. Since the deal closed, we’ve been making decisions quickly to minimize customer disruption. We created the new issuing CAs immediately after close, and are distributing info about them as quickly as possible.
What are the distrust deadlines set forth by the browsers, and how do they affect me?
Some customers have asked if they need to reissue all their Symantec certificates by December 1—this is not the case. Chrome’s timeline for distrusting Symantec certificates consists of the following milestones:
- December 1, 2017: From this date forward, Google has required that TLS certificates no longer be issued by Symantec roots, but must be issued by another CA. As of December 1, DigiCert will be issuing all TLS certificates for Website Security customers. This date does not mandate any certificate changes, but officially transfers validation and issuance of Symantec certificates to DigiCert systems. Beginning on this date, Symantec customers can begin to request free replacement certificates, which will provide continued trust through the end of the certificate validity period.
- ~March 15, 2018: Chrome will distrust certificates issued by Symantec before June 1, 2016.
- ~September 13, 2018: Chrome will distrust all certificates issued by Symantec. (Note these Chrome dates are for the Beta releases, which are one month earlier than the mainstream Stable release. We have provided these more conservative dates to minimize the chances that end users are affected).
What do I need to know about the reissuance process?
There is no need to switch to the DigiCert platform. You can continue to use the CWS console to issue and manage certificates. The only difference will be on the back end, as DigiCert will be performing the validation of those certificates. We will reach out to you to let you know which of your certificates are affected and when you need to reissue them. We will replace affected certificates at no cost.
If I have to reissue my certificates anyway, why shouldn’t I switch to the DigiCert platform?
CWS is our enterprise-grade platform, with enterprise tools and functionality. Remaining on the CWS platform will allow you to avoid disruptions to your business, allowing continued use of current workflows. Migration may require creation of new processes, training personnel, building a relationship with a new account manager, losing a unified view of certificate inventory, and losing the customer trust provided by the Norton Secured Seal. Symantec and CWS also offer better localization support, while DigiCert offers English only.
In addition, if you have integrated with the CWS API, you would have to commit significant developer resources to migrate to the DigiCert API, which has an entirely different workflow and is not compatible.
What will happen to the CWS platform in the future?
CWS is our enterprise-grade platform, and you can expect to see upgrades and improvements to CWS in the future. We have already begun investing in the CWS platform to make SSL & PKI management simpler at the enterprise level. Also, CWS includes tools—like Vulnerability Assessment, Malware Scanning, Discovery and Automation, and customer success for pre- and post-sales—that are not currently available on the DigiCert platform.
Does this mean you are rebranding to DigiCert immediately?
No, we will continue to offer the Symantec CWS toolkit and Symantec Reseller tools and APIs. We will continue to sell certificates under the Symantec brand and utilize the Norton Seal, powered by Symantec. Under the new combined DigiCert construct we are electing to transition to a technically superior solution from a root standpoint, one that is required by the Google and Mozilla as part of the agreement reached in late July.
The changes being made now are primarily “back-end” changes in root certificate infrastructure, which allows your certificates to meet the requirements of Google and Mozilla.
If my certificates are going to be issued by DigiCert anyway, why am I paying a premium?
- CWS is the enterprise-grade platform
- CWS includes tools like Vulnerability Assessment, Malware Scanning, Discovery and Automation, and API
- Continued access to the Norton Secured Seal
- Customer success for pre- and post-sales
- Support localized by region, language, and time zone
The Symantec name is not on the root, so why am I paying for the Symantec brand?
Although the Symantec name is not on the root, your customers will continue to see the Norton Secured Seal, which is what they recognize and trust when making online transactions. The Norton Seal is the most recognized trust seal on the internet, and will be viewed 20 billion times on Cyber Monday alone. Certificates will be issued from a DigiCert root, but your customers will not see the root name, only the Norton Seal, which is not going away.
I value Symantec for its brand recognition, but now that’s gone. Why not switch to the DigiCert platform?
Symantec’s brand recognition comes from the Norton Secured Seal, which will remain intact. Your customers will continue to see the Norton Seal on your web pages, which is the best vehicle for communicating trust. Migrating to the DigiCert platform would mean switching site seals, which could result in stalled transactions and lost revenue—not to mention, it will cost your web team time and resources.
If DigiCert has the best support, why shouldn’t I move to DigiCert?
Both DigiCert and Symantec have award-winning customer support and a customer-first focus. However, the CWS platform, and the support associated with it, are localized for the specific regions, languages, and time zones in which you operate. The current DigiCert platform does not offer the same level of localization that CWS does.
Frost & Sullivan Rebuttal
A recent Frost & Sullivan white paper titled The URGENT Concerns Facing Customers with Symantec-Issued Certificates contains many inaccurate statements that generate unwarranted concern related to the browser distrust timelines for Symantec-issued certificates. This post will help Symantec customers filter through the noise and get accurate information for maintaining trust in their Symantec-issued certificates.
The Frost & Sullivan white paper made the following claims:
Regarding Browser Timelines
CLAIM: “Symantec’s major problems with Google and Mozilla remain unresolved, and there’s no way of knowing when final details of any agreement will be settled. The current plan would require Symantec customers to do some heavy lifting.”
REALITY: On September 11, 2017, Google finalized its plan to distrust Symantec certificates and extended the timelines for reissuing Symantec certificates affected by the distrust deadlines. The DigiCert acquisition gives Website Security customers a path forward for maintaining trust in their Symantec-issued certificates. Website Security customers will be able to issue and reissue certificates using their existing Symantec platforms and tools.
Regarding Security Continuity
CLAIM: “Symantec customers could face significant disruption in their use of Symantec SSL certificates.”
REALITY: Symantec customers can be confident they will have continuity in their website security. Even before the DigiCert acquisition of Symantec Website Security, Symantec selected DigiCert to operate the Sub CA under the browser requirements, and DigiCert has been working on integrating its validation and issuance systems for some time. We are replacing (at no cost) all Symantec-issued certificates affected by browser requirements. We will begin this process as early as December 1, 2017. Put simply, the transition of SSL validation, issuance, and other processes to DigiCert provides Symantec customers with a path forward for maintaining trust in their SSL certificates.
CLAIM: “Symantec customers may have to replace the same certificates twice in a 12-month period.”
REALITY: This is not the case. The only potential reason you would need to replace a certificate twice would be if you use a cross-signed root without using the DIgiCert Global G2 root. Cross-signed roots can be used on an as-needed basis, but will not be required. Removing the cross-sign when necessary and using just the Global Root G2 should also provide a seamless flow. If you have special case, contact your account manager.
CLAIM: “Customers may additionally have to do considerable work on their systems in switching to a new CA [post-DigiCert acquisition]”
REALITY: Symantec customers will be able to continue using the Symantec platform and tools they’ve invested in. Going forward, Symantec customers will receive enhanced offerings that take the best solutions from DigiCert and Symantec to improve on a next-gen platform. On the other hand, switching to a new CA would require replacing all certificates, as well as onboarding to include new customer contacts, new certificate issuing platforms, new certificate management systems (that may not have all the features they currently enjoy from Symantec), as well as the loss of the Norton seal.
CLAIM: “Google has also required Symantec customers to undergo a new verification process (organization and domain) by another CA (DigiCert) before receiving new ‘Symantec’ certificates after the Dec. 1, 2017 deadline. Again, this will be time-consuming for existing Symantec customers.”
REALITY: DigiCert regularly performs quick one-time pre-verification of those authorized to issue within customer accounts. This process can be used to ensure a fast, seamless verification that is not manual for each individual certificate. DigiCert already boasts the fastest validation times in the industry, and will leverage its proprietary systems to provide Symantec customers with the same frictionless experience. The reduced validation times will be a big win for Symantec customers.
Regarding December 1, 2017
CLAIM: The December 1 date requires “action now.”
REALITY: As of December 1, 2017, Google has required that new TLS certificates no longer be issued by Symantec roots, but must be issued by another CA. This date does not mandate any immediate certificate changes, but officially transfers validation and issuance of Symantec certificates to DigiCert systems. This date simply represents an opportunity for Symantec customers to begin requesting free replacement certificates, using their existing Symantec portal. These replacement certificates will be valid through the end of the certificate validity period.
CLAIM: “Neither Symantec’s systems, people nor processes may be used in the issuance of any new digital certificates to Symantec customers after the December 1, 2017 deadline.”
REALITY: While the Symantec back end is being replaced by DigiCert systems for certificate issuance and validation, Symantec customers will continue to use their same front-end systems, such as Complete Website Security (CWS), and will continue to work with the account representatives and other contacts that they are used to working with. The only change for Symantec customers will be that DigiCert will perform the validation of those new certificates on the back end. Workflows, processes, and front-end tools remain identical as prior to the Google announcement.
CLAIM: “These upcoming Google requirements intended to protect Chrome users put Symantec customers in a major bind—they could face a significant workload in completing reverification and replacing old Symantec certificates during their normal holiday blackout period, when it would be safer to button up systems for the busy holiday season.”
REALITY: This is not the case. No certificate replacement is required until March of 2018. December 1 is simply the first date Symantec customers can begin replacing their Symantec-issued certificates at no cost. These certificates will be issued from DigiCert roots and will remain trusted through their existing validity period. Additionally, remaining with Website Security means that you will continue have access to the Norton Secured Seal on your web pages, Symantec’s tools, and global support. The Norton Seal is viewed 20 billion times on Cyber Monday alone, providing your customers with the trust they need to make purchases during the busy holiday season.
CLAIM: “Symantec customers must start now . . . considering signing up with alternative CAs who can meet their objectives of website continuity, brand preservation, and ease of use.”
REALITY: Website Security customers can continue to use their existing Symantec platforms and tools to issue and reissue certificates at no cost, providing website continuity. The Norton Secured Seal has the best brand recognition in the market, and is viewed 20 billion times on Cyber Monday alone. Customers will continue to have access to the Norton Seal on their web pages. Additionally, Website Security customers can expect to see upgrades and improvements to their platforms as we continue to simplify SSL & PKI management.
Regarding Root Chaining and Ubiquity
CLAIM: Replacing Symantec-issued certificates from a DigiCert root “is not a good scenario for busy IT professionals.”
REALITY: DigiCert offers a path forward for Symantec customers to reissue their current certificates and maintain continuity through the end of the validity period. Switching to an alternative CA would require adopting a new platform, tools, account manager, support, and more—not to mention losing the Norton Secured Seal.v
CLAIM: “Cross-signing may be required for the new customer certificates to chain up correctly to trusted roots, making use of the substitute certificates more difficult for Symantec customers.”
REALITY: Cross-signed roots can be used on an as-needed basis, but are not generally required. In the rare cases where cross-signing is needed, DigiCert will work closely with customers to ensure a smooth transition. DigiCert owns some of the most ubiquitous roots in the industry. Most customers will be transitioned to DigiCert roots, meaning complete trust in all major platforms. The cross-signs provide support for platforms where no other CA is trusted. Moving to another CA does not solve the issue, instead compounding the potential problem as there will be no path through the new CA for custom root stores and odd operating systems. With DigiCert, customers will have the option to leverage both the advanced ubiquity of the Baltimore root and the Symantec roots, giving access to root stores previously unavailable through any single CA.
CLAIM: “It might require customers to correctly install both a new end-entity certificate from DigiCert as well as a cross-signed intermediate(s) on all servers in all locations – something that could be time-consuming and/or difficult for many customers.”
REALITY: As above, cross-signs will not be used unless there is a custom root store being supported. DigiCert’s roots provide ubiquity in major browsers identical to Symantec’s roots. Replacing any cert requires installation of both the end-entity and intermediate to the devices. With DigiCert, the Symantec and DigiCert tools are available to simplify the installation and configuration process. We also provide award-wining 24×7 support to assist in the migration.
Additionally, Frost & Sullivan provided this “list of questions Symantec customers should consider as part of their strategic planning and risk avoidance planning:”
“What risks does our organization face as a result of the announced progressive distrust of Symantec certificates and proposed acquisition of the Symantec business by DigiCert? For example, how will these factors affect uptime, certificate compatibility with existing systems, internal resources, timeline and transition dates, the ability to complete customer reverification by DigiCert if the load becomes backlogged, etc.?”
ANSWER: No risk. DigiCert is ahead of the December 1 timeline for handling validation and issuance of Symantec certificates. The DigiCert Global Root CA provides one of the best ubiquities in the industry. DigiCert provides 24/7 support and has a scalable infrastructure that can handle billions of certificates. Symantec customers’ best path to maintaining continuity in their certificates, brand strength (such as the Norton seal), and global support is to keep their current certificates and contracts.
“What does the Symantec certificate migration process actually look like? Will all of your certificates be found and migrated over to the new DigiCert CA? Will you have to install any cross-signed intermediate certificates on your servers along with the new DigiCert end-entity certificates in order to get ubiquity among all the relevant browsers and applications? Do you know how much time you have to make this transition?”
ANSWER: As Chrome’s timeline has outlined, customers have until at least March to replace any affected certificates. After the close of the acquisition, our executive team evaluated our combined assets, and has found that the DigiCert Global Root CA offers one of the best ubiquities in the industry. Customers will not be required to install cross-signed intermediate certificates. If you have a special case where you need a cross-signed root, your account manager will work with you to find the right solution.
“What if DigiCert can’t hit the December 1, 2017 deadline (just weeks away) to move everything over to its platform for issuing new certificates to Symantec customers? DigiCert is a much smaller company than Symantec, and not even located in the same region. What happens if the acquisition by DigiCert doesn’t go through? According to the browsers, any further date change requests will be viewed unfavorably and may be denied. These factors could impact your organization if replacement certificates aren’t available, causing your website not to be trusted by Google Chrome and Mozilla Firefox and preventing your users from interacting with your website.”
ANSWER: DigiCert is ahead of the December 1 timeline. DigiCert has a much larger existing market share than Entrust, and is bringing over Symantec talent and resources to service customers. The acquisition of Website Security was completed October 31, 2017. DigiCert is committed to providing a smooth transition and continuity for Symantec customers.
“DigiCert must re-authenticate all Symantec customer organizations and domains before issuing new certificates this December. When will this start?”
ANSWER: Customers using any CA would need to follow the same process, but, unlike other CAs, DigiCert already has a reputation for fast, high-quality validation. DigiCert can handle pre-verification for Symantec customers in a seamless way. As early as December 1, 2017, customers can start replacing affected certificates, though many will choose to do so after the holidays, since they have until March of 2018.
“Has Symantec offered any price or contract concessions to you to make up for the changes, disruption and additional work required for its customers? Can Symantec customers simply cancel their current agreements and move to another CA if they choose?”
ANSWER: Website Security customers can continue with their existing contracts, and will be able to issue and reissue certificates (at no cost) from their existing Symantec platform.