Replace Your Symantec SSL/TLS Certificates

For Symantec, Thawte, GeoTrust, and RapidSSL

Near the end of July 2017, Google Chrome created a plan to first reduce and then remove trust (by showing security warnings in the Chrome browser) of all Symantec, Thawte, GeoTrust, and RapidSSL-issued SSL/TLS certificates. Google broke this timeline up into 3 important dates. December 1, 2017, March 15, 2018, and September 13, 2018. The first date, December 1, 2017, required no action from you. However, for the 2018 dates, you must replace affected certificates to avoid Google Chrome browser security warnings. Read our blog post for details on these dates and the Chrome timeline.

New Chain of Trust

DigiCert took over validation and issuance for all Symantec Website Security SSL/TLS certificates. This includes certificates for Symantec and its subsidiary CAs: Thawte, GeoTrust, and RapidSSL. Going forward, all new and reissued Website Security certificates are issued by DigiCert (using one of our trusted roots) and are trusted by Google Chrome.

The new certificate chain DigiCert created does not interfere with your current certificate trust among browsers. The chain also establishes trust for your replacement certificate with Google Chrome (and other browsers) going forward.

Step 1: Make Plans to Replace Affected Certificates

To avoid Google Chrome browser security warnings about your SSL/TLS certificates not being trusted or secure, replace your affected Symantec Website Security SSL/TLS certificates before the appropriate date: March 15, 2018 or September 13, 2018, depending on when your certificates were issued. Make plans now and make sure to allow enough time for certificate issuance and for certificate installation.

No Charge Certificate Replacement

DigiCert will replace all affected certificates at no cost. Additionally, you don’t need to switch to a new account/platform. Continue to use your current Symantec account to replace and order your SSL/TLS certificates.

March 15, 2018

On or around March 15, 2018, a Chrome 66 beta release will distrust all Symantec SSL/TLS certificates issued before June 1, 2016. Google plans to release the public version on April 17, 2018.

Action: If your SSL/TLS certificate was issued before June 1, 2016 and expires on or after March 15, 2018, replace it before March 15, 2018.

Don’t wait until March 2018 to replace your affected certificates. Domains and organizations need to be validated before we can issue certificates. And don’t forget you’ll need time to install the new certificate so your website avoids Google Chrome
security warnings.

September 13, 2018

On or around September 13, 2018, a Chrome 70 beta release will distrust all Symantec SSL/TLS certificates issued after June 1, 2016. Google plans to release the public version mid-October 2018.

Action: If your SSL/TLS certificate was issued after June 1, 2016 (and before December 1, 2017) and expires on, or after September 13, 2018, replace it before September 13, 2018.

Don’t wait until September 2018 to replace your affected certificates. Domains and organizations need to be validated before we can issue certificates. And don’t forget you’ll need time to install the new certificate so your website avoids Google Chrome security warnings.

Step 2: Help Make Sure Domains and Organizations Are Ready

To meet the Google Chrome SSL/TLS certificate replacement requirements, DigiCert must revalidate/re-authenticate all domains for DV, OV, and EV certificates. DigiCert must also revalidate/re-authenticate organizations to the extent needed for OV and
EV certificates.

We will validate/authenticate your domains and organizations regardless so that we can issue your replacement certificates. However, these actions help decrease the time it takes to validate your domains and organizations:

  • Verify that you have control over a domain (All certificate replacements)Before we can issue a certificate, you must prove you have control over the domains on your certificate replacement request. This process is referred to as Domain Control Validation or DCV. The default DCV method is email validation.The email validation process works like this: DigiCert sends an authorization email to the registered owners of the domains listed publicly on a WHOIS record. We can also send the authorization email to five constructed email addresses for the domain: the admin@, administrator@, webmaster@, hostmaster@, and postmaster@ accounts for each public domain.Note: DigiCert doesn’t send the authorization email to the certificate requestor or account administrator.

    The email contains instructions to complete your domain control validation/authentication.

  • Answer the verification/authentication call (OV and EV replacements)Make sure that someone is aware that DigiCert will call a verified phone number to complete organization validation/ authentication. This phone call usually takes place within 24 hours of the replacement certificate request being placed.
  • Provide the legally-registered organization name (OV and EV replacements)Make sure to provide the organization’s legally-registered name to be validated/authenticated for your OV or EV certificate. If the organization name provided is not the correct, DigiCert will need to ask for it later. For example, MYCO is not correct if the legally registered name for the company is My Company, Inc.
  • Create a third-party online presence (OV and EV replacements)When requesting OV and EV certificates, it’s important to have an online presence for your organization (legal name, address, and phone). You can do this by listing your organization with a third-party business directory, such as Google My Business or Dun & Bradstreet.

Step 3: Replace Your Symantec (and Subsidiary CAS) SSL/TLS Certificates

This instruction outlines the certificate replacement steps. For more details, see the references listed at the end.

  1. Sign in to your existing Symantec, Thawte, GeoTrust, or RapidSSL account.
  2. Find the certificate(s) you need to replace.
  3. Create a CSR (certificate signing request).
  4. Select the replace/reissue certificate option.
  5. Submit your replacement/reissue request.
  6. As soon as DigiCert has revalidated/re-authenticated your domains and organizations (as required for the certificate type), we will reissue your replacement certificate.
  7. Install your SSL/TLS certificate.

Brand-Specific Certificate Replacement Instructions

Symantec™ Complete Website Security
Symantec Managed PKI for SSL
Symantec Trust Center
Symantec Trust Center Enterprise
Thawte Certificate Center (TCC)
Thawte Certificate Center Enterprise (TCCE)
GeoTrust Security Center (GSC)
GeoTrust Enterprise Security Center (GESC)
RapidSSL Security Center


How do I know if I need to replace my certificates?

Should I “renew” or “replace” if I’m within my 90-day renewal window?

How long will it take for me to receive my replacement?

If I have to replace my certificate, do I have to replace it using the DigiCert platform?

How can I know the status of the replacement process?

Can you describe the difference between replace, reissue, and revoke?

Why are only Symantec, Thawte, GeoTrust, and RapidSSL certificates required to be replaced?

I have certificates that will be distrusted in March and some in September. Should I replace them at the same time?

What happens to the installed certificate that is being replaced?

What happens if I don’t replace my certificate?

Do the distrust dates apply to certificates issued from VeriSign roots, or only to Symantec, Thawte, GeoTrust, and RapidSSL certificates?

Is Chrome the only browser which will distrust these certificates?

What about 3-year certificates?