Transition FAQ

Have questions about the Frost &
Sullivan white paper? Read More

Use the responses to the following frequently asked questions to help customers understand why remaining with Website Security is in their best interest. If a customer asks you a question that is not addressed here, please submit it to goodquestion@digicert.com. We will continue to update this page as new questions come in.

Why don’t the roots say Symantec or Verisign?

Can I use a cross-signed root?

What if I need the Symantec or VeriSign roots for ubiquity or pinning reasons?

Why didn't I know about this sooner?

What are the distrust deadlines set forth by the browsers, and how do they affect me?

What do I need to know about the reissuance process?

If I have to reissue my certificates anyway, why shouldn’t I switch to the DigiCert platform?

What will happen to the CWS platform in the future?

Does this mean you are rebranding to DigiCert immediately?

If my certificates are going to be issued by DigiCert anyway, why am I paying a premium?

The Symantec name is not on the root, so why am I paying for the Symantec brand?

I value Symantec for its brand recognition, but now that’s gone. Why not switch to the DigiCert platform?

If DigiCert has the best support, why shouldn’t I move to DigiCert?

Frost & Sullivan Rebuttal

A recent Frost & Sullivan white paper titled The URGENT Concerns Facing Customers with Symantec-Issued Certificates contains many inaccurate statements that generate unwarranted concern related to the browser distrust timelines for Symantec-issued certificates. This post will help Symantec customers filter through the noise and get accurate information for maintaining trust in their Symantec-issued certificates.

The Frost & Sullivan white paper made the following claims:

Regarding Browser Timelines

CLAIM: “Symantec’s major problems with Google and Mozilla remain unresolved, and there’s no way of knowing when final details of any agreement will be settled. The current plan would require Symantec customers to do some heavy lifting.”

REALITY: On September 11, 2017, Google finalized its plan to distrust Symantec certificates and extended the timelines for reissuing Symantec certificates affected by the distrust deadlines. The DigiCert acquisition gives Website Security customers a path forward for maintaining trust in their Symantec-issued certificates. Website Security customers will be able to issue and reissue certificates using their existing Symantec platforms and tools.

Regarding Security Continuity

CLAIM: “Symantec customers could face significant disruption in their use of Symantec SSL certificates.”

REALITY: Symantec customers can be confident they will have continuity in their website security. Even before the DigiCert acquisition of Symantec Website Security, Symantec selected DigiCert to operate the Sub CA under the browser requirements, and DigiCert has been working on integrating its validation and issuance systems for some time. We are replacing (at no cost) all Symantec-issued certificates affected by browser requirements. We will begin this process as early as December 1, 2017. Put simply, the transition of SSL validation, issuance, and other processes to DigiCert provides Symantec customers with a path forward for maintaining trust in their SSL certificates.

CLAIM: “Symantec customers may have to replace the same certificates twice in a 12-month period.”

REALITY: This is not the case. The only potential reason you would need to replace a certificate twice would be if you use a cross-signed root without using the DIgiCert Global G2 root. Cross-signed roots can be used on an as-needed basis, but will not be required. Removing the cross-sign when necessary and using just the Global Root G2 should also provide a seamless flow. If you have special case, contact your account manager.

CLAIM: “Customers may additionally have to do considerable work on their systems in switching to a new CA [post-DigiCert acquisition]”

REALITY: Symantec customers will be able to continue using the Symantec platform and tools they’ve invested in. Going forward, Symantec customers will receive enhanced offerings that take the best solutions from DigiCert and Symantec to improve on a next-gen platform. On the other hand, switching to a new CA would require replacing all certificates, as well as onboarding to include new customer contacts, new certificate issuing platforms, new certificate management systems (that may not have all the features they currently enjoy from Symantec), as well as the loss of the Norton seal.

CLAIM: “Google has also required Symantec customers to undergo a new verification process (organization and domain) by another CA (DigiCert) before receiving new ‘Symantec’ certificates after the Dec. 1, 2017 deadline. Again, this will be time-consuming for existing Symantec customers.”

REALITY: DigiCert regularly performs quick one-time pre-verification of those authorized to issue within customer accounts. This process can be used to ensure a fast, seamless verification that is not manual for each individual certificate. DigiCert already boasts the fastest validation times in the industry, and will leverage its proprietary systems to provide Symantec customers with the same frictionless experience. The reduced validation times will be a big win for Symantec customers.

Regarding December 1, 2017

CLAIM: The December 1 date requires “action now.”

REALITY: As of December 1, 2017, Google has required that new TLS certificates no longer be issued by Symantec roots, but must be issued by another CA. This date does not mandate any immediate certificate changes, but officially transfers validation and issuance of Symantec certificates to DigiCert systems. This date simply represents an opportunity for Symantec customers to begin requesting free replacement certificates, using their existing Symantec portal. These replacement certificates will be valid through the end of the certificate validity period.

CLAIM: “Neither Symantec’s systems, people nor processes may be used in the issuance of any new digital certificates to Symantec customers after the December 1, 2017 deadline.”

REALITY: While the Symantec back end is being replaced by DigiCert systems for certificate issuance and validation, Symantec customers will continue to use their same front-end systems, such as Complete Website Security (CWS), and will continue to work with the account representatives and other contacts that they are used to working with. The only change for Symantec customers will be that DigiCert will perform the validation of those new certificates on the back end. Workflows, processes, and front-end tools remain identical as prior to the Google announcement.

CLAIM: “These upcoming Google requirements intended to protect Chrome users put Symantec customers in a major bind—they could face a significant workload in completing reverification and replacing old Symantec certificates during their normal holiday blackout period, when it would be safer to button up systems for the busy holiday season.”

REALITY: This is not the case. No certificate replacement is required until March of 2018. December 1 is simply the first date Symantec customers can begin replacing their Symantec-issued certificates at no cost. These certificates will be issued from DigiCert roots and will remain trusted through their existing validity period. Additionally, remaining with Website Security means that you will continue have access to the Norton Secured Seal on your web pages, Symantec’s tools, and global support. The Norton Seal is viewed 20 billion times on Cyber Monday alone, providing your customers with the trust they need to make purchases during the busy holiday season.

CLAIM: “Symantec customers must start now . . . considering signing up with alternative CAs who can meet their objectives of website continuity, brand preservation, and ease of use.”

REALITY: Website Security customers can continue to use their existing Symantec platforms and tools to issue and reissue certificates at no cost, providing website continuity. The Norton Secured Seal has the best brand recognition in the market, and is viewed 20 billion times on Cyber Monday alone. Customers will continue to have access to the Norton Seal on their web pages. Additionally, Website Security customers can expect to see upgrades and improvements to their platforms as we continue to simplify SSL & PKI management.

Regarding Root Chaining and Ubiquity

CLAIM: Replacing Symantec-issued certificates from a DigiCert root “is not a good scenario for busy IT professionals.”

REALITY: DigiCert offers a path forward for Symantec customers to reissue their current certificates and maintain continuity through the end of the validity period. Switching to an alternative CA would require adopting a new platform, tools, account manager, support, and more—not to mention losing the Norton Secured Seal.v

CLAIM: “Cross-signing may be required for the new customer certificates to chain up correctly to trusted roots, making use of the substitute certificates more difficult for Symantec customers.”

REALITY: Cross-signed roots can be used on an as-needed basis, but are not generally required. In the rare cases where cross-signing is needed, DigiCert will work closely with customers to ensure a smooth transition.  DigiCert owns some of the most ubiquitous roots in the industry. Most customers will be transitioned to DigiCert roots, meaning complete trust in all major platforms. The cross-signs provide support for platforms where no other CA is trusted. Moving to another CA does not solve the issue, instead compounding the potential problem as there will be no path through the new CA for custom root stores and odd operating systems. With DigiCert, customers will have the option to leverage both the advanced ubiquity of the Baltimore root and the Symantec roots, giving access to root stores previously unavailable through any single CA.

CLAIM: “It might require customers to correctly install both a new end-entity certificate from DigiCert as well as a cross-signed intermediate(s) on all servers in all locations – something that could be time-consuming and/or difficult for many customers.”

REALITY: As above, cross-signs will not be used unless there is a custom root store being supported. DigiCert’s roots provide ubiquity in major browsers identical to Symantec’s roots. Replacing any cert requires installation of both the end-entity and intermediate to the devices. With DigiCert, the Symantec and DigiCert tools are available to simplify the installation and configuration process. We also provide award-wining 24×7 support to assist in the migration.

Additionally, Frost & Sullivan provided this “list of questions Symantec customers should consider as part of their strategic planning and risk avoidance planning:”

  1. “What risks does our organization face as a result of the announced progressive distrust of Symantec certificates and proposed acquisition of the Symantec business by DigiCert? For example, how will these factors affect uptime, certificate compatibility with existing systems, internal resources, timeline and transition dates, the ability to complete customer reverification by DigiCert if the load becomes backlogged, etc.?”

    ANSWER: No risk. DigiCert is ahead of the December 1 timeline for handling validation and issuance of Symantec certificates. The DigiCert Global Root CA provides one of the best ubiquities in the industry. DigiCert provides 24/7 support and has a scalable infrastructure that can handle billions of certificates. Symantec customers’ best path to maintaining continuity in their certificates, brand strength (such as the Norton seal), and global support is to keep their current certificates and contracts.

  2. “What does the Symantec certificate migration process actually look like? Will all of your certificates be found and migrated over to the new DigiCert CA? Will you have to install any cross-signed intermediate certificates on your servers along with the new DigiCert end-entity certificates in order to get ubiquity among all the relevant browsers and applications? Do you know how much time you have to make this transition?”

    ANSWER: As Chrome’s timeline has outlined, customers have until at least March to replace any affected certificates. After the close of the acquisition, our executive team evaluated our combined assets, and has found that the DigiCert Global Root CA offers one of the best ubiquities in the industry. Customers will not be required to install cross-signed intermediate certificates. If you have a special case where you need a cross-signed root, your account manager will work with you to find the right solution.

  3. “What if DigiCert can’t hit the December 1, 2017 deadline (just weeks away) to move everything over to its platform for issuing new certificates to Symantec customers? DigiCert is a much smaller company than Symantec, and not even located in the same region. What happens if the acquisition by DigiCert doesn’t go through? According to the browsers, any further date change requests will be viewed unfavorably and may be denied. These factors could impact your organization if replacement certificates aren’t available, causing your website not to be trusted by Google Chrome and Mozilla Firefox and preventing your users from interacting with your website.”

    ANSWER: DigiCert is ahead of the December 1 timeline. DigiCert has a much larger existing market share than Entrust, and is bringing over Symantec talent and resources to service customers. The acquisition of Website Security was completed October 31, 2017. DigiCert is committed to providing a smooth transition and continuity for Symantec customers.

  4. “DigiCert must re-authenticate all Symantec customer organizations and domains before issuing new certificates this December. When will this start?”

    ANSWER: Customers using any CA would need to follow the same process, but, unlike other CAs, DigiCert already has a reputation for fast, high-quality validation. DigiCert can handle pre-verification for Symantec customers in a seamless way. As early as December 1, 2017, customers can start replacing affected certificates, though many will choose to do so after the holidays, since they have until March of 2018.

  5. “Has Symantec offered any price or contract concessions to you to make up for the changes, disruption and additional work required for its customers? Can Symantec customers simply cancel their current agreements and move to another CA if they choose?”

    ANSWER: Website Security customers can continue with their existing contracts, and will be able to issue and reissue certificates (at no cost) from their existing Symantec platform.