How to Maintain Trust in Your Symantec-Issued Certificates

November 17, 2017 Jeremy Rowley

Jeremy Rowley, EVP of Product at DigiCert, answers common questions about how customers can maintain trust in their Symantec-issued certificates.

With DigiCert’s acquisition of Symantec Website Security, there has been some misinformation in the market about how the browser timeline affects Symantec-issued certificates. After reading this, you will have a clear understanding of what the browser timeline means for you and your business, and what (if any) action you need to take to maintain trust.

What are the Chrome deadlines for distrusting Symantec roots? 

I’ve heard some customers asking if they need to reissue all their Symantec-issued certificates by December 1—this is not the case. Chrome’s timeline for distrusting Symantec certificates consists of the following milestones:

  • December 1, 2017: As of this date, Google has required that TLS certificates no longer be issued by Symantec roots, but must be issued by another CA. As of December 1, DigiCert will be issuing all certificates for Website Security customers. This date does not mandate any immediate certificate changes, but officially transfers validation and issuance of Symantec certificates to DigiCert systems. From this date forward, Symantec customers can begin to request free replacement certificates. These replacement certificates will be valid through issuance to the end of the certificate validity period.
  • ~March 15, 2018: Chrome beta will distrust certificates issued by Symantec before June 1, 2016. The public release of Chrome is expected on April 17, 2018.
  • ~September 13, 2018: Chrome beta will distrust all certificates issued by Symantec. The public release of Chrome is expected in mid-October of 2018.

How does this affect customers with Symantec certificates, and what action do they need to take?

As noted in the timeline above, Symantec-issued TLS certificates will start to be distrusted on either March 15th or September 13th of 2018 (depending on whether they were issued before or after June 1, 2016). Customers will need to reissue these affected certificates. DigiCert will be reaching out to customers to let them know which of their TLS certificates are affected, and when they need to be reissued. DigiCert will replace affected certificates at no cost.

NOTE: Symantec customers will not need to switch to a new platform, but can continue to use their Symantec console to order and reissue certificates. As of December 1, 2017, all certificates will be issued from a DigiCert root, which will continue to be trusted.

Put simply, the transition of SSL validation, issuance, and other processes to DigiCert provides Symantec customers with a path forward for maintaining trust in their SSL certificates. Symantec customers can be confident they will have continuity in their website security. 

What actions is DigiCert taking to ensure that the process for reissuing Symantec certificates goes smoothly?

Even before the DigiCert acquisition of Symantec Webite Security, Symantec selected DigiCert to operate the Sub CA under the browser requirements, and DigiCert has been working on integrating its validation and issuance systems for some time.

We are working on the following processes to meet the deadlines set forth by the browsers:

  • Replacing the Symantec back end with DigiCert’s operation and infrastructure. This ensures we can replace Symantec certificates impacted by Symantec root distrust schedules as early as December 1, 2017, using Symantec’s existing front end, workflows, and customer-facing operations.
  • Creating a path for a new root structure and cross-signing intermediates. The new infrastructure was designed to provide ubiquity in all major platforms while aligning to the browser schedules for deprecating through fall of 2018.
  • Replacing the Symantec validation processes with those currently used by DigiCert.
  • Preparing to replace (at no cost) Symantec-issued certificates affected by browser requirements. We will begin this process as early as December 1, 2017.

How will DigiCert infrastructure handle this added volume?

Although the transaction was not contemplated at the time, our preparations began a couple of years ago when we refactored our back end to create a scalable infrastructure and more robust validation process. This refactoring was prompted by the huge increase in certificate usage brought on by connected devices, often referred to as the Internet of Things.

What should customers expect from DigiCert in the future?

We feel accountable for the trust placed in us by our customers, partners, and the security community. We appreciate the patience our customers and partners have shown us, and are excited for the opportunity ahead. We have always been customer-focused and collaborative with the security community. We will continue to provide transparency about the work we’re doing on both the front and back ends. We’re eager to build on the trust we’ve established with our customers.

DigiCert has the resources, capabilities, and infrastructure to handle the scale of our new operations. We look forward to offering Symantec customers everything they loved about working with Website Security, alongside DigiCert’s focus on people and operational excellence, which has helped us build a strong, loyal customer base.

Previous Article
What are over-the-air-updates?
What are over-the-air-updates?

With more devices connected to the internet than ever before, we’re all interested in finding out how the l...

Next Article
The Security Benefits of CAA
The Security Benefits of CAA

Earlier this year, new industry standards were adopted which made Certificate Authority Authorization (CAA)...