Google Chrome’s Plan to Distrust Symantec Certificates

Overview

In 2017, Google’s attention has been drawn to a series of questionable ssl certificates issued by Symantec’s PKI. Symantec’s PKI business, which operates a series of Certificate Authorities under various brand names, including Thawte, VeriSign, GeoTrust and RapidSSL, had issued numerous certificates that did not comply with the industry-developed CA/Browser Forum Baseline Requirements.

As a consequence, Google announced plans to distrust all Symantec certificates. These plans finally led to the acquisition of Symantec’s Website Security and related PKI solutions by DigiCert.

All certificates issued after December 1, 2017 are now issued on DigiCert’s PKI.

Action Required

Starting with Chrome 66, Chrome will remove trust in Symantec-issued (including RapidSSL, GeoTrust and thwate) certificates issued prior to June 1, 2016. Chrome 66 is currently scheduled to be released to Chrome Beta users on March 15, 2018 and to Chrome Stable users around April 17, 2018.

As a consequence all affected certificates need to be re-issued to avoid a warning message when a client access a site with a Symantec certificate installed.

Reference Timeline

Certificates issued prior to June 1, 2016

If you have a certificate that has been issued prior to June 1, 2016, the Chrome browser will no longer trust this certificate after March 15, 2018.
In order to retain trust by the Chrome browser, you need to re-issue this certificate.

Certificates issued after June 1, 2016

If you have an existing certificate that has been issued after June 1, 2016, the Chrome browser will no longer trust this certificate after September 13, 2018.
In order to retain trust by the Chrome browser, you need to re-issue this certificate.

Symantec Distrust Timeline

How-to re-issue my certificate ?

Please read more in this blog post: Reissue RapidSSL, GeoTrust, thawte and Symantec certificates

Do not hesitate to contact our support team if you need any assistance !