Our Latest Symantec Distrust Guidance

June 7, 2018 Vincent Lynch

This week, Apple announced they will be distrusting SSL/TLS certificates issued from Symantec’s legacy root certificates, which includes the Thawte, GeoTrust, and RapidSSL brands. We have  given guidance on replacing these certificates for compatibility with Google Chrome and Mozilla Firefox. This new announcement from Apple imposes later deadlines, and does not require any additional action if you have already followed our previous guidance.

If you have yet to replace your legacy Symantec certificates, you will need to do so as soon as possible to ensure on-going compatibility with web browsers. DigiCert has acquired Symantec’s SSL business and is offering free replacements to all affected customers.

Apple’s newly announced distrust will occur in two stages. For simplicity, neither stage requires you to make any changes to the existing migration plan needed for compatibility with Chrome and other browsers. If you have already replaced your certificates, you do not need to replace them again. Once you have installed SSL certificates that are issued from DigiCert roots, you will be compliant with all browsers.

For users that still have certificates issued from legacy Symantec roots: replace your certificates as soon as possible.

Distrust Guidance: Replace Now

If you have a certificate issued from Symantec’s roots (or any of its other brands: Thawte, GeoTrust, or RapidSSL), it will soon be distrusted in major browsers.

To avoid this, you need to get a free certificate replacement from DigiCert, which you can do now through your existing Symantec account (or Thawte, GeoTrust, or RapidSSL account). We are advising any users with these Symantec certificates to replace them as soon as possible—getting the process started today if possible—to avoid broken connections and accessibility issues with your website.

The next planned distrust in any browser will occur around July 20th when the “Canary” version of Chrome 70 releases. We are advising customers to replace their certificates before that date if possible. The consumer release version of Chrome 70 (known as “Stable”) will release in October.

It is only necessary to replace your certificate once to comply with the requirements of all browsers. When you receive your free replacement from DigiCert, it will be issued from our root certificates, which are widely trusted by end-user devices. If you have already replaced your certificate to comply with Google Chrome’s requirements, you are already compliant with the requirements from Apple and Firefox. No further action is needed.

Note that this distrust applies to the root certificates owned by Symantec. If you have replaced those certificates and have Symantec-brand certificates issued from DigiCert roots, they are not affected.

Previous Article
Assessing the London Protocol
Assessing the London Protocol

The London Protocol was originally proposed as a potential joint effort by CA Security Council members to c...

Next Article
EV Certificates & DigiCert
EV Certificates & DigiCert

By Jeremy Rowley and Tim Hollebeek The Certificate Authority/Browser (CA/Browser) community discussions on ...