Replace Your Symantec SSL/TLS Certificates

For Symantec, Thawte, GeoTrust, and RapidSSL

Content shared from our partner Symantec’s, websecurity blog

Near the end of July 2017, Google Chrome created a plan to first reduce and then remove trust (by showing security warnings in the Chrome browser) of all Symantec, Thawte, GeoTrust, and RapidSSL-issued SSL/TLS certificates. Google broke this timeline up into 3 important dates. December 1, 2017March 15, 2018, and September 13, 2018. The first date, December 1, 2017, required no action from you. However, for the 2018 dates, you must replace affected certificates to avoid Google Chrome browser security warnings. Read our blog post for details on these dates and the Chrome timeline.

New Chain of Trust

DigiCert took over validation and issuance for all Symantec Website Security SSL/TLS certificates. This includes certificates for Symantec and its subsidiary CAs: Thawte, GeoTrust, and RapidSSL. Going forward, all new and reissued Website Security certificates are issued by DigiCert (using one of our trusted roots) and are trusted by Google Chrome.

The new certificate chain DigiCert created does not interfere with your current certificate trust among browsers. The chain also establishes trust for your replacement certificate with Google Chrome (and other browsers) going forward.

Step 1: Make Plans to Replace Affected Certificates

To avoid Google Chrome browser security warnings about your SSL/TLS certificates not being trusted or secure, replace your affected Symantec Website Security SSL/TLS certificates before the appropriate date: March 15, 2018 or September 13, 2018, depending on when your certificates were issued. Make plans now and make sure to allow enough time for certificate issuance and for certificate installation.

No Charge Certificate Replacement

DigiCert will replace all affected certificates at no cost. Additionally, you don’t need to switch to a new account/platform. Continue to use your current Symantec account to replace and order your SSL/TLS certificates.

March 15, 2018

On or around March 15, 2018, a Chrome 66 beta release will distrust all Symantec SSL/TLS certificates issued before June 1, 2016. Google plans to release the public version on April 17, 2018.

Action: If your SSL/TLS certificate was issued before June 1, 2016 and expires on or after March 15, 2018, replace it before March 15, 2018.

Don’t wait until March 2018 to replace your affected certificates. Domains and organizations need to be validated before we can issue certificates. And don’t forget you’ll need time to install the new certificate so your website avoids Google Chrome security warnings.

September 13, 2018

On or around September 13, 2018, a Chrome 70 beta release will distrust all Symantec SSL/TLS certificates issued after June 1, 2016. Google plans to release the public version mid-October 2018.

Action: If your SSL/TLS certificate was issued after June 1, 2016 (and before December 1, 2017) and expires on, or after September 13, 2018, replace it before September 13, 2018.

Don’t wait until September 2018 to replace your affected certificates. Domains and organizations need to be validated before we can issue certificates. And don’t forget you’ll need time to install the new certificate so your website avoids Google Chrome security warnings.

Step 2: Help Make Sure Domains and Organizations Are Ready

To meet the Google Chrome SSL/TLS certificate replacement requirements, DigiCert must revalidate/re-authenticate all domains for DV, OV, and EV certificates. DigiCert must also revalidate/re-authenticate organizations to the extent needed for OV and EV certificates.

We will validate/authenticate your domains and organizations regardless so that we can issue your replacement certificates. However, these actions help decrease the time it takes to validate your domains and organizations:

  • Verify that you have control over a domain (All certificate replacements)
    Before we can issue a certificate, you must prove you have control over the domains on your certificate replacement request. This process is referred to as Domain Control Validation or DCV. The default DCV method is email validation.The email validation process works like this: DigiCert sends an authorization email to the registered owners of the domains listed publicly on a WHOIS record. We can also send the authorization email to five constructed email addresses for the domain: the admin@, administrator@, webmaster@, hostmaster@, and postmaster@ accounts for each public domain.Note: DigiCert doesn’t send the authorization email to the certificate requestor or account administrator.The email contains instructions to complete your domain control validation/authentication.
  • Answer the verification/authentication call (OV and EV replacements)
    Make sure that someone is aware that DigiCert will call a verified phone number to complete organization validation/ authentication. This phone call usually takes place within 24 hours of the replacement certificate request being placed.
  • Provide the legally-registered organization name (OV and EV replacements)
    Make sure to provide the organization’s legally-registered name to be validated/authenticated for your OV or EV certificate. If the organization name provided is not the correct, DigiCert will need to ask for it later. For example, MYCO is not correct if the legally registered name for the company is My Company, Inc.
  • Create a third-party online presence (OV and EV replacements)
    When requesting OV and EV certificates, it’s important to have an online presence for your organization (legal name, address, and phone). You can do this by listing your organization with a third-party business directory, such as Google My Business or Dun & Bradstreet.

Step 3: Replace Your Symantec (and Subsidiary CAS) SSL/TLS Certificates

This instruction outlines the certificate replacement steps. For more details, see the references listed at the end.

  1. Sign in to your existing Symantec, Thawte, GeoTrust, or RapidSSL account.
  2. Find the certificate(s) you need to replace.
  3. Create a CSR (certificate signing request).
  4. Select the replace/reissue certificate option.
  5. Submit your replacement/reissue request.
  6. As soon as DigiCert has revalidated/re-authenticated your domains and organizations (as required for the certificate type), we will reissue your replacement certificate.
  7. Install your SSL/TLS certificate.

If affected, you will receive a message (either email or phone call) from DigiCert, letting you know which certificates need to be replaced. If you want to take action now, reach out to your account representative or our Support team. Any impacted certificate will function properly until March 15, 2018, but to avoid potential issues we highly recommend you renew (if applicable) or replace any impacted certificates before March 15th.

If you’re within your 90-day renewal window, you should RENEW instead of replacing your affected certificate(s). Renewal will resolve the issue.

Our normal processing time is three to five days, however, it may take longer if we need you to provide more information. For example, when you replace your certificate, we will need to revalidate, which may require a verification call* or other validation checks. If we request an action from you, please comply as soon as possible to avoid delays. If you have multiple certificates for the same organization, subsequent requests should be issued faster if pre-validation was successful. FYI, we’re anticipating a high demand leading up to March 15th and through the first quarter. Request replacements or renewals as soon as possible.

*Note regarding verification call:
Verification calls normally happen within 24 hours after the replacement request has been placed. DigiCert will call a verified phone number to complete the organization validation and authentication.

Not necessarily. You can replace your certificate on the Secure128 portal.

Replace and reissue mean the same thing. Symantec and Thawte use replace; GeoTrust, RapidSSL, and partners use reissue. Revoke means the certificate is no longer usable, regardless of brand. If you get a message from us that uses replace or reissue, the action is the same: you need to get a new certificate to avoid distrust dates set by Google.

We recommend you focus on replacing your certificates that need to be replaced by the March 15th date at this time.

Your impacted certificate will only work until the distrust date. You should install your replacement certificate promptly.

After March 15, 2018, when users visit your website using Chrome or Firefox, they will see a browser warning that says the SSL/TLS certificate on your site is distrusted, and your site is not secure. It may look like the example below.

The distrust dates will apply to all certificates issued from VeriSign roots, including Symantec, Thawte, GeoTrust, and RapidSSL certificates.

We recommend replacing your 3-year certificates before February 20, 2018, so you get their full validity period. As of March 1, 2018, Certificate Authorities will no longer issue 3-year OV and DV certificates. Additionally, all OV and DV replacement certificates issued after February 28, 2018 can only have a maximum validity of 825 days, regardless of how much time remains on the certificate order. See End of Life for 3-Year OV & DV Certificates.