Replace Your Symantec SSL/TLS Certificates
For Symantec, Thawte, GeoTrust, and RapidSSL
- Jump to:
- Step 1: Make Plans to Replace Affected Certificates
- Step 2: Help Make Sure Domains and Organizations Are Ready
- Step 3: Replace Your Symantec (and Subsidiary CAS) SSL/TLS Certificates
- Brand-Specific Certificate Replacement Instructions
Near the end of July 2017, Google Chrome created a plan to first reduce and then remove trust (by showing security warnings in the browser) for all Symantec-, Thawte-, GeoTrust-, and RapidSSL-issued SSL/TLS certificates. The plan includes changes that were rolled out starting with Chrome version 66 and continues with version 70.
You must replace your affected certificates to provide an optimal user experience for all TLS/SSL applications, including browsers. View the Apple and browser community distrust timelines here.
Here is a quick overview of some important dates to keep in mind:
|Release||Certificates Affected||First Canary Release||First Beta Release||Stable Release|
|Chrome 66||Issued before June 1, 2016||January 20, 2018||March 15, 2018||April 17, 2018|
|Chrome 70||Issued before December 1, 2017||July 20, 2018||~September 13, 2018||~October 16, 2018|
New Chain of Trust
DigiCert took over validation and issuance for all Symantec Website Security SSL/TLS certificates on December 1, 2017. This includes certificates for Symantec and its subsidiary CAs: Thawte, GeoTrust, and RapidSSL. Going forward, all new and reissued Website Security certificates are issued by DigiCert (using one of our trusted roots) and are trusted by Google Chrome.
The new certificate chain DigiCert created does not interfere with your current certificate trust among browsers. The chain also establishes trust for your replacement certificate with Google Chrome (and other browsers) going forward.
Step 1: Make Plans to Replace Affected Certificates
To avoid Google Chrome browser security warnings about your SSL/TLS certificates not being trusted or secure, replace your affected Symantec Website Security SSL/TLS certificates before the appropriate Canary date, depending on when your certificates were issued. Make plans now to allow enough time for certificate issuance and for certificate installation.
No Charge Certificate Replacement
DigiCert will replace all affected certificates at no cost. Additionally, you don’t need to switch to a new account/platform. Continue to use your current Symantec account to replace and order your SSL/TLS certificates.
Action: If your SSL/TLS certificate was issued before June 1, 2016 and expires on or after March 15, 2018, replace it before March 15, 2018.
Don’t wait until September 2018 to replace your affected certificates. Domains and organizations need to be validated before we can issue certificates. And don’t forget you’ll need time to install the new certificate to avoid Google Chrome security warnings.
Step 2: Help Make Sure Domains and Organizations Are Ready
To meet the Google Chrome SSL/TLS certificate replacement requirements, DigiCert must revalidate/re-authenticate all domains for DV, OV, and EV certificates. DigiCert must also revalidate/re-authenticate organizations to the extent needed for OV and
We will validate/authenticate your domains and organizations regardless so that we can issue your replacement certificates. However, these actions help decrease the time it takes to validate your domains and organizations:
- Verify that you have control over a domain (All certificate replacements)Before we can issue a certificate, you must prove you have control over the domains on your certificate replacement request. This process is referred to as Domain Control Validation or DCV. The default DCV method is email validation.The email validation process works like this: DigiCert sends an authorization email to the registered owners of the domains listed publicly on a WHOIS record. We can also send the authorization email to five constructed email addresses for the domain: the admin@, administrator@, webmaster@, hostmaster@, and postmaster@ accounts for each public domain.Note: DigiCert doesn’t send the authorization email to the certificate requestor or account administrator.The email contains instructions to complete your domain control validation/authentication.
- Answer the verification/authentication call (OV and EV replacements)Make sure that someone is aware that DigiCert will call a verified phone number to complete organization validation/ authentication. This phone call usually takes place within 24 hours of the replacement certificate request being placed.
- Provide the legally-registered organization name (OV and EV replacements)Make sure to provide the organization’s legally-registered name to be validated/authenticated for your OV or EV certificate. If the organization name provided is not the correct, DigiCert will need to ask for it later. For example, MYCO is not correct if the legally registered name for the company is My Company, Inc.
- Create a third-party online presence (OV and EV replacements)When requesting OV and EV certificates, it’s important to have an online presence for your organization (legal name, address, and phone). You can do this by listing your organization with a third-party business directory, such as Google My Business or Dun & Bradstreet.
Step 3: Replace Your Symantec (and Subsidiary CAS) SSL/TLS Certificates
This instruction outlines the certificate replacement steps. For more details, see the references listed at the end.
- Sign in to your existing Symantec, Thawte, GeoTrust, or RapidSSL account.
- Find the certificate(s) you need to replace.
- Create a CSR (certificate signing request).
- Select the replace/reissue certificate option.
- Submit your replacement/reissue request.
- As soon as DigiCert has revalidated/re-authenticated your domains and organizations (as required for the certificate type), we will reissue your replacement certificate.
- Install your SSL/TLS certificate.
Brand-Specific Certificate Replacement Instructions
Symantec™ Complete Website Security
Symantec Managed PKI for SSL
Symantec Trust Center
Symantec Trust Center Enterprise
Thawte Certificate Center (TCC)
Thawte Certificate Center Enterprise (TCCE)
GeoTrust Security Center (GSC)
GeoTrust Enterprise Security Center (GESC)
RapidSSL Security Center
How do I know if I need to replace my certificates?
If affected, you will receive a message (either email or phone call) from DigiCert, letting you know which certificates need to be replaced. If you want to take action now, reach out to your account representative or our Support team. Any impacted certificate will function properly until March 15, 2018, but to avoid potential issues we highly recommend you renew (if applicable) or replace any impacted certificates before March 15th.
Should I “renew” or “replace” if I’m within my 90-day renewal window?
If you’re within your 90-day renewal window, you should RENEW instead of replacing your affected certificate(s). Renewal will resolve the issue.
How long will it take for me to receive my replacement?
Our normal processing time is three to five days, however, it may take longer if we need you to provide more information. For example, when you replace your certificate, we will need to revalidate, which may require a verification call* or other validation checks. If we request an action from you, please comply as soon as possible to avoid delays. If you have multiple certificates for the same organization, subsequent requests should be issued faster if pre-validation was successful. FYI, we’re anticipating a high demand leading up to March 15th and through the first quarter. Request replacements or renewals as soon as possible.
*Note regarding verification call:
Verification calls normally happen within 24 hours after the replacement request has been placed. DigiCert will call a verified phone number to complete the organization validation and authentication.
If I have to replace my certificate, do I have to replace it using the DigiCert platform?
Not necessarily. You should replace your certificate on the same portal or console where you made your original purchase.
How can I know the status of the replacement process?
Customers and partners can view the status of their replacement, whether it’s pending or issued, in the console where you made the order.
Can you describe the difference between replace, reissue, and revoke?
Replace and reissue mean the same thing. Symantec and Thawte use replace; GeoTrust, RapidSSL, and partners use reissue. Revoke means the certificate is no longer usable, regardless of brand. If you get a message from us that uses replace or reissue, the action is the same: you need to get a new certificate to avoid distrust dates set by Google.
Why are only Symantec, Thawte, GeoTrust, and RapidSSL certificates required to be replaced?
Please contact us for more information.
I have certificates that will be distrusted in March and some in September. Should I replace them at the same time?
We recommend you focus on replacing your certificates that need to be replaced by the March 15th date at this time.
What happens to the installed certificate that is being replaced?
Your impacted certificate will only work until the distrust date. You should install your replacement certificate promptly.
What happens if I don’t replace my certificate?
After March 15, 2018, when users visit your website using Chrome or Firefox, they will see a browser warning that says the SSL/TLS certificate on your site is distrusted, and your site is not secure. It may look like the example below.
Do the distrust dates apply to certificates issued from VeriSign roots, or only to Symantec, Thawte, GeoTrust, and RapidSSL certificates?
The distrust dates will apply to all certificates issued from VeriSign roots, including Symantec, Thawte, GeoTrust, and RapidSSL certificates.
Is Chrome the only browser which will distrust these certificates?
What about 3-year certificates?
We recommend replacing your 3-year certificates before February 20, 2018, so you get their full validity period. As of March 1, 2018, Certificate Authorities will no longer issue 3-year OV and DV certificates. Additionally, all OV and DV replacement certificates issued after February 28, 2018 can only have a maximum validity of 825 days, regardless of how much time remains on the certificate order. See End of Life for 3-Year OV & DV Certificates.