Replace Your Symantec SSL/TLS Certificates

For Symantec, Thawte, GeoTrust, and RapidSSL

Near the end of July 2017, Google Chrome created a plan to first reduce and then remove trust (by showing security warnings in the browser) for all Symantec-, Thawte-, GeoTrust-, and RapidSSL-issued SSL/TLS certificates. The plan affects certificates for upcoming browser releases, starting with Chrome 66 and continues in Chrome 70.

You must replace your affected certificates to avoid Google Chrome browser security warnings in these versions of the Chrome browser. Read our blog post for details on these dates and the Chrome timeline.

Here is a quick overview of some important dates to keep in mind:

Release Certificates Affected First Canary Release First Beta Release Stable Release
Chrome 66 Issued before June 1, 2016 January 20, 2018 March 15, 2018 April 17, 2018
Chrome 70 Issued before December 1, 2017 July 20, 2018 ~September 13, 2018 ~October 16, 2018

New Chain of Trust

DigiCert took over validation and issuance for all Symantec Website Security SSL/TLS certificates. This includes certificates for Symantec and its subsidiary CAs: Thawte, GeoTrust, and RapidSSL. Going forward, all new and reissued Website Security certificates are issued by DigiCert (using one of our trusted roots) and are trusted by Google Chrome.

The new certificate chain DigiCert created does not interfere with your current certificate trust among browsers. The chain also establishes trust for your replacement certificate with Google Chrome (and other browsers) going forward.

Step 1: Make Plans to Replace Affected Certificates

To avoid Google Chrome browser security warnings about your SSL/TLS certificates not being trusted or secure, replace your affected Symantec Website Security SSL/TLS certificates before the appropriate Canary date, depending on when your certificates were issued. Make plans now to allow enough time for certificate issuance and for certificate installation.

No Charge Certificate Replacement

DigiCert will replace all affected certificates at no cost. Additionally, you don’t need to switch to a new account/platform. Continue to use your current Symantec account to replace and order your SSL/TLS certificates.

Chrome 66

On or around January 20, 2018, the Chrome 66 Canary release will distrust all Symantec SSL/TLS certificates issued before June 1, 2016. Google plans to release the public (Stable) version on April 17, 2018.

Action: If your SSL/TLS certificate was issued before June 1, 2016 and expires on or after March 15, 2018, replace it before March 15, 2018.

Don’t wait until March 2018 to replace your affected certificates. Domains and organizations need to be validated before we can issue certificates. And don’t forget you’ll need time to install the new certificate so your website avoids Google Chrome security warnings.

Chrome 70

On or around July 20, 2018, the Chrome 70 Canary release will distrust all Symantec SSL/TLS certificates issued after June 1, 2016. Google plans to release the public (Stable) version mid-October 2018.

Action: If your SSL/TLS certificate was issued after June 1, 2016 (and before December 1, 2017) and expires on, or after September 13, 2018, replace it before July 20, 2018.

Don’t wait until September 2018 to replace your affected certificates. Domains and organizations need to be validated before we can issue certificates. And don’t forget you’ll need time to install the new certificate to avoid Google Chrome security warnings. This is why we recommend replacing your certificates ahead of the Canary release in July—so you have plenty of time before the Stable release.

Step 2: Help Make Sure Domains and Organizations Are Ready

To meet the Google Chrome SSL/TLS certificate replacement requirements, DigiCert must revalidate/re-authenticate all domains for DV, OV, and EV certificates. DigiCert must also revalidate/re-authenticate organizations to the extent needed for OV and
EV certificates.

We will validate/authenticate your domains and organizations regardless so that we can issue your replacement certificates. However, these actions help decrease the time it takes to validate your domains and organizations:

  • Verify that you have control over a domain (All certificate replacements)Before we can issue a certificate, you must prove you have control over the domains on your certificate replacement request. This process is referred to as Domain Control Validation or DCV. The default DCV method is email validation.The email validation process works like this: DigiCert sends an authorization email to the registered owners of the domains listed publicly on a WHOIS record. We can also send the authorization email to five constructed email addresses for the domain: the admin@, administrator@, webmaster@, hostmaster@, and postmaster@ accounts for each public domain.Note: DigiCert doesn’t send the authorization email to the certificate requestor or account administrator.

    The email contains instructions to complete your domain control validation/authentication.

  • Answer the verification/authentication call (OV and EV replacements)Make sure that someone is aware that DigiCert will call a verified phone number to complete organization validation/ authentication. This phone call usually takes place within 24 hours of the replacement certificate request being placed.
  • Provide the legally-registered organization name (OV and EV replacements)Make sure to provide the organization’s legally-registered name to be validated/authenticated for your OV or EV certificate. If the organization name provided is not the correct, DigiCert will need to ask for it later. For example, MYCO is not correct if the legally registered name for the company is My Company, Inc.
  • Create a third-party online presence (OV and EV replacements)When requesting OV and EV certificates, it’s important to have an online presence for your organization (legal name, address, and phone). You can do this by listing your organization with a third-party business directory, such as Google My Business or Dun & Bradstreet.

Step 3: Replace Your Symantec (and Subsidiary CAS) SSL/TLS Certificates

This instruction outlines the certificate replacement steps. For more details, see the references listed at the end.

  1. Sign in to your existing Symantec, Thawte, GeoTrust, or RapidSSL account.
  2. Find the certificate(s) you need to replace.
  3. Create a CSR (certificate signing request).
  4. Select the replace/reissue certificate option.
  5. Submit your replacement/reissue request.
  6. As soon as DigiCert has revalidated/re-authenticated your domains and organizations (as required for the certificate type), we will reissue your replacement certificate.
  7. Install your SSL/TLS certificate.

Brand-Specific Certificate Replacement Instructions

Symantec™ Complete Website Security
Symantec Managed PKI for SSL
Symantec Trust Center
Symantec Trust Center Enterprise
Thawte Certificate Center (TCC)
Thawte Certificate Center Enterprise (TCCE)
GeoTrust Security Center (GSC)
GeoTrust Enterprise Security Center (GESC)
RapidSSL Security Center

FAQs

How do I know if I need to replace my certificates?

Should I “renew” or “replace” if I’m within my 90-day renewal window?

How long will it take for me to receive my replacement?

If I have to replace my certificate, do I have to replace it using the DigiCert platform?

How can I know the status of the replacement process?

Can you describe the difference between replace, reissue, and revoke?

Why are only Symantec, Thawte, GeoTrust, and RapidSSL certificates required to be replaced?

I have certificates that will be distrusted in March and some in September. Should I replace them at the same time?

What happens to the installed certificate that is being replaced?

What happens if I don’t replace my certificate?

Do the distrust dates apply to certificates issued from VeriSign roots, or only to Symantec, Thawte, GeoTrust, and RapidSSL certificates?

Is Chrome the only browser which will distrust these certificates?

What about 3-year certificates?