What to Do If Your Users Are Seeing Warning Messages in Chrome and Other Browsers
Here, you’ll find the information you need to replace your Symantec-issued certificates and stop user warnings from displaying on your site.
What is happening?
Google Chrome, Mozilla Firefox, and other major browsers are in the process of deprecating trust in certificates that were issued off Symantec Certificate Authority infrastructure. This includes Symantec, GeoTrust, Thawte, and RapidSSL certificates.
DigiCert will replace all affected certificates at no cost. Additionally, you do not need to switch to a new account or platform. Continue to use your current Symantec Website Security, GeoTrust, Thawte, or RapidSSL account to replace and order your SSL/TLS certificates. For a step-by-step guide to reissuing your certificates, skip to the bottom of this page.
What sites does this affect?
If your site is using a certificate in the Symantec group of brands that was issued before June 1, 2016, the Chrome 66 update is likely displaying warning messages to your users. For further details on the Chrome timeline, read our blog post.
If you have a certificate affected by this distrust, your users will see a warning that their “connection is not private,” as shown in the screenshot below.
How do I replace my affected certificates?
Follow these simple steps:
- Sign in to your existing Symantec, Thawte, GeoTrust, or RapidSSL account.
- Find the certificate(s) you need to replace.
- Create a CSR (certificate signing request).
- Select the replace/reissue certificate option.
- Submit your replacement/reissue request.
- As soon as DigiCert has revalidated/re-authenticated your domains and organizations (as required for the certificate type), we will reissue your replacement certificate.
- Install your SSL/TLS certificate.
Following these steps will give you the same branded certificate you’ve been using on your site, reissued on the trusted DigiCert infrastructure.
Brand-Specific Replacement Instructions
Symantec® Complete Website Security
Symantec Managed PKI for SSL
Symantec Trust Center
Symantec Trust Center Enterprise
Thawte Certificate Center (TCC)
Thawte Certificate Center Enterprise (TCCE)
GeoTrust Security Center (GSC)
GeoTrust Enterprise Security Center (GESC)
RapidSSL Security Center
How do I know if I need to replace my certificates?
If affected, you will receive a message (either email or phone call) from DigiCert, letting you know which certificates need to be replaced. If you want to take action now, reach out to your account representative or our Support team. Any impacted certificate will function properly until March 15, 2018, but to avoid potential issues we highly recommend you renew (if applicable) or replace any impacted certificates before March 15th.
Should I “renew” or “replace” if I’m within my 90-day renewal window?
If you’re within your 90-day renewal window, you should RENEW instead of replacing your affected certificate(s). Renewal will resolve the issue.
How long will it take for me to receive my replacement?
Our normal processing time is three to five days, however, it may take longer if we need you to provide more information. For example, when you replace your certificate, we will need to revalidate, which may require a verification call* or other validation checks. If we request an action from you, please comply as soon as possible to avoid delays. If you have multiple certificates for the same organization, subsequent requests should be issued faster if pre-validation was successful. FYI, we’re anticipating a high demand leading up to March 15th and through the first quarter. Request replacements or renewals as soon as possible.
*Note regarding verification call:
Verification calls normally happen within 24 hours after the replacement request has been placed. DigiCert will call a verified phone number to complete the organization validation and authentication.
If I have to replace my certificate, do I have to replace it using the DigiCert platform?
Not necessarily. You should replace your certificate on the same portal or console where you made your original purchase.
How can I know the status of the replacement process?
Customers and partners can view the status of their replacement, whether it’s pending or issued, in the console where you made the order.
Can you describe the difference between replace, reissue, and revoke?
Replace and reissue mean the same thing. Symantec and Thawte use replace; GeoTrust, RapidSSL, and partners use reissue. Revoke means the certificate is no longer usable, regardless of brand. If you get a message from us that uses replace or reissue, the action is the same: you need to get a new certificate to avoid distrust dates set by Google.
Why are only Symantec, Thawte, GeoTrust, and RapidSSL certificates required to be replaced?
Read our blog post for more information.
I have certificates that will be distrusted in March and some in September. Should I replace them at the same time?
We recommend you focus on replacing your certificates that need to be replaced by the March 15th date at this time.
What happens to the installed certificate that is being replaced?
Your impacted certificate will only work until the distrust date. You should install your replacement certificate promptly.
What happens if I don’t replace my certificate?
After March 15, 2018, when users visit your website using Chrome or Firefox, they will see a browser warning that says the SSL/TLS certificate on your site is distrusted, and your site is not secure. It may look like the example below.
Do the distrust dates apply to certificates issued from VeriSign roots, or only to Symantec, Thawte, GeoTrust, and RapidSSL certificates?
The distrust dates will apply to all certificates issued from VeriSign roots, including Symantec, Thawte, GeoTrust, and RapidSSL certificates.
Is Chrome the only browser which will distrust these certificates?
What about 3-year certificates?
We recommend replacing your 3-year certificates before February 20, 2018, so you get their full validity period. As of March 1, 2018, Certificate Authorities will no longer issue 3-year OV and DV certificates. Additionally, all OV and DV replacement certificates issued after February 28, 2018 can only have a maximum validity of 825 days, regardless of how much time remains on the certificate order. See End of Life for 3-Year OV & DV Certificates.