You may have heard about the problems between Google and Symantec in the press. Earlier this year, after incidents with Symantec certificates have become known to the public, Google decided to take action and announced plans to distrust all SSL certificates of the Symantec product group in their Google Chrome browser. The companies had many conversations with each other as this approach would affect a huge number of Internet users.
Google and Symantec finally agreed on a strategy that would allow Symantec to maintain the certificates business. This is only possible if Symantec will no longer act as Certificate Authority since Google Chrome will distrust all Symantec certificates in 2018. Instead, as of December 1, 2017, the Digicert Public Key Infrastructure (PKI) will be used to issue certificates, and Symantec will technically become a Subordinate Certificate Authority (SubCA). Similarly, all other Symantec certificate brands will be classified as SubCAs as well.
Need to reissue all affected certificates:
With the release of Chrome 66 (estimated March 2018), Google will initially distrust all Symantec certificates issued before June 1, 2016. With the release of Chrome 70 (estimated September 2018), Google will finally distrust all Symantec SSL certificates issued before December 1, 2017 using the old Symantec PKI. Because Symantec had purchased additional CAs (GeoTrust, Thawte, and RapidSSL) in the past, the root certificates of those former companies were added to the Symantec root. Certificates issued by these three CAs are affected like native Symantec SSL certs and must also be reissued.
Thus, unfortunately all Symantec, GeoTrust, Thawte, and RapidSSL certificates are affected and will in future be distrusted in Google Chrome. To avoid your certificates from being distrusted in Google Chrome, the reissue for affected certificates will become necessary.
In conclusion, two groups of certificates can be regarded separately.
The details for these groups in summary:
- Certificates issued BEFORE June 1, 2016: These will be distrusted by Google Chrome on March 15, 2018 (= release of Chrome 66). To prevent the distrust a reissue under the Digicert PKI is necessary. This can be done starting December 1, 2017. For reissues there's only time UNTIL March 15, 2018. Afterwards Google Chrome will display errors.
- Certificates issued BEFORE December 1, 2017: These will be distrusted by Google on September 13, 2018 (= release of Chrome 70). To prevent the distrust a reissue under the Digicert PKI is necessary. This can be done starting December 1, 2017. For reissues there's only time UNTIL September 13, 2018. Afterwards Google Chrome will display errors.
The next steps:
Soon, we will contact affected customers and inform them which action is required. In addition, we provide detailed guidance on how to re-issue the affected certificates in accordance with best practices.