What to Do If Your Users Are Seeing Warning Messages in Chrome and Other Browsers

Here, you’ll find the information you need to replace your Symantec-issued certificates and stop user warnings from displaying on your site.

What is happening?

Google Chrome, Mozilla Firefox, and other major browsers are in the process of deprecating trust in certificates that were issued off Symantec Certificate Authority infrastructure. This includes Symantec, GeoTrust, Thawte, and RapidSSL certificates.

DigiCert will replace all affected certificates at no cost. Additionally, you do not need to switch to a new account or platform. Continue to use your current Symantec Website Security, GeoTrust, Thawte, or RapidSSL account to replace and order your SSL/TLS certificates. For a step-by-step guide to reissuing your certificates, skip to the bottom of this page.

What sites does this affect?

If your site is using a certificate in the Symantec group of brands that was issued before June 1, 2016, the Chrome 66 update is likely displaying warning messages to your users. For further details on the Chrome timeline, read our blog post.

If you have a certificate affected by this distrust, your users will see a warning that their “connection is not private,” as shown in the screenshot below.

How do I replace my affected certificates?

Follow these simple steps:

  1.  Sign in to your existing Symantec, Thawte, GeoTrust, or RapidSSL account.
  2.  Find the certificate(s) you need to replace.
  3.  Create a CSR (certificate signing request).
  4.  Select the replace/reissue certificate option.
  5.  Submit your replacement/reissue request.
  6.  As soon as DigiCert has revalidated/re-authenticated your domains and organizations (as required for the certificate type), we will reissue your replacement certificate.
  7.  Install your SSL/TLS certificate.

Following these steps will give you the same branded certificate you’ve been using on your site, reissued on the trusted DigiCert infrastructure.

Brand-Specific Replacement Instructions

Symantec® Complete Website Security
Symantec Managed PKI for SSL
Symantec Trust Center
Symantec Trust Center Enterprise
Thawte Certificate Center (TCC)
Thawte Certificate Center Enterprise (TCCE)
GeoTrust Security Center (GSC)
GeoTrust Enterprise Security Center (GESC)
RapidSSL Security Center


How do I know if I need to replace my certificates?

Should I “renew” or “replace” if I’m within my 90-day renewal window?

How long will it take for me to receive my replacement?

If I have to replace my certificate, do I have to replace it using the DigiCert platform?

How can I know the status of the replacement process?

Can you describe the difference between replace, reissue, and revoke?

Why are only Symantec, Thawte, GeoTrust, and RapidSSL certificates required to be replaced?

I have certificates that will be distrusted in March and some in September. Should I replace them at the same time?

What happens to the installed certificate that is being replaced?

What happens if I don’t replace my certificate?

Do the distrust dates apply to certificates issued from VeriSign roots, or only to Symantec, Thawte, GeoTrust, and RapidSSL certificates?

Is Chrome the only browser which will distrust these certificates?

What about 3-year certificates?