Upcoming browser distrust of HTTPS certificates

Earlier this year Chrome announced plans to distrust the Symantec Certificate Authority. Chrome was concerned about how some Symantec partners had been allowed to operate without proper auditing or supervision. To clarify Symantec also issues certificates under the Geotrust, Thawte and RapidSSL brands.

Following discussion with the browser community Symantec was required to outsource certificate management and issuance processes. Following this requirement Symantec made the decision to sell its Certificate Authority business to DigiCert Inc. This would allow DigiCert to take over the management and issuance of certificates.

From 1 December 2017 Symantec, Geotrust, Thawte and RapidSSL certificates (including reissues) are being issued from the DigiCert infrastructure. This is not affected by the upcoming distrust and no action needs to be taken.

Certificates issued by Comodo are unaffected.

Certificates Expiring before 15 March 2018

  • Certificates should be renewed as required. However certificates renewed before 1 December 2017 will need to be reissued after 1 December 2017.

Certificates Expiring after 15 March 2018

  • Certificates issued (including reissues) before 1 June 2016 with an expiry after 15 March 2018 should be reissued after 1 December 2017.
  • Certificates that expire between 1 January 2018 and 15 March 2018 should be renewed or replaced between these dates without losing validity.
  • Certificates issued (including reissues) between 1 June 2016 and 1 December 2017 with an expiry beyond 13 September 2018 should be reissued, replaced or renewed after 1 December 2017.
  • Certificates issued (including reissues) between 1 June 2016 and 1 December 2017 with an expiry BEFORE 13 September 2018 require no action.

Certificates Expiring after 13 September 2018

  • Certificates issued (including reissues) prior to 1 December 2017 need to be reissued, renewed or replaced after 1 December 2017.
  • Certificates issued (including reissues) after 1 December 2017 require no action to be taken.
We will be contacting every customer who has a certificate that needs to be reissued. For resellers we will be providing the ability to view and/or export all affected certificates within the account. We hope to have this in place very soon

Intermediate Certificate Changes

We advise all customers to make sure that when installing any certificates to ensure that the intermediate is also installed. Over the next few days the intermediate certificates will change so that certificates chain to the new infrastructure.

Reissue Process

We have been working to update our systems so that customers can reissue certificates via our website or using the API. We plan to release these updates prior to 1 December 2017. We are also bringing on board extra support resources so we can continue to provide timely assistance.

Maintenance affecting Order Process

The work required to move infrastructure is causing the requirement for maintenance windows at very short notice and affecting the uptime of the order process for Symantec certificates. This is beyond our control and can mean customers experience occasional problems placing orders. Sometimes the notice is too short for us to be able to inform customers. If you are having trouble placing an order we recommend checking the Symantec Status page.

Certificates issued by Comodo are unaffected by this maintenance work.

Switching to an alternative Certificate Authority

We understand that some customers may be unhappy with Symantec branded certificates. There is the option of switching to an alternative Certificate Authority. We have partnered with Comodo to provide an alternative. Comodo is unaffected by the upcoming browser distrust. If you are considering switching we have provided a comparison table to show the equivalent Comodo certificate.

Related Articles