Ask a Question

Advanced Search

Alert ID : ALERT2525

Last Modified : 10/16/2018

INFORMATIONAL: Symantec Trust Center and Trust Center Enterprise - Identify Certificates Impacted by Potential Chrome Distrust

INFORMATION

Description

Chrome 70 is live as of 10-16-2018.  Distrust errors may not be displayed immediately as distrust is done in stages and independent of Chrome reelease dates. Please reference the following for more information,
https://sites.google.com/a/chromium.org/dev/Home/chromium-security/symantec-legacy-pki

 

On September 11, 2017, Google posted a blog entitled Chrome’s Plan to Distrust Symantec Certificates.

One aspect of Google’s proposal is that starting March 15, 2018, Chrome 66 will distrust the Symantec certificates issued prior to June 1, 2016 and Chrome 70 will eventually distrust all Symantec certificates issued under the current infrastructure. Symantec expects to issue all new public SSL/TLS certificates from the new infrastructure by December 1, 2017.

Additional information can be found in the following article: Replace Your Symantec SSL/TLS Certificates


**Update**
Apple announced they will be distrusting SSL/TLS certificates issued from Symantec’s legacy root certificates, which includes the Thawte, GeoTrust, and RapidSSL brands. We have  given guidance on replacing these certificates for compatibility with Google Chrome and Mozilla Firefox. This new announcement from Apple imposes later deadlines, and does not require any additional action if you have already followed our previous guidance.

Apple’s newly announced distrust will occur in two stages. For simplicity, neither stage requires you to make any changes to the existing migration plan needed for compatibility with Chrome and other browsers. If you have already replaced your certificates, you do not need to replace them again. Once you have installed SSL certificates that are issued from DigiCert roots, you will be compliant with all browsers.

Apple's announcement does not require you to make any changes to the existing migration plan needed for compatibility with Chrome and other browsers. Continue to follow our guidance on meeting the Chrome timelines and your reissued certificates will work with all browsers. The only certificates to be distrusted by Apple this summer are those that you should have already replaced to comply with Chrome 66 requirements.

Apple advisory: https://support.apple.com/en-hk/HT208860
Our blog: https://www.digicert.com/blog/our-latest-symantec-distrust-guidance-apple/
 

We recommend that you replace these certificates based on the Chrome release schedule.

Case 1: If you have Symantec certificates issued prior to June 1, 2016 that expire before March 15, 2018, there is no action required.

Case 2: If you have Symantec certificates issued prior to June 1, 2016 that expire on or after March 15, 2018 but before September 13, 2018, you must replace them by March 15, 2018.

Case 3: If you have Symantec certificates issued prior to June 1, 2016 that expire on or after September 13, 2018, you need to replace them starting December 1, 2017 and complete by March 15, 2018.

Case 4: If you have Symantec certificates issued on or after June 1, 2016 that expire on or after September 13, 2018, you need to replace them starting December 1, 2017 and complete by September 13, 2018.
 

Table view of information above:

Case Issued Expires Begin to Replace Complete Replacement by
1 Before June 1, 2016 Before March 15, 2018 N/A – no action required N/A – no action required
2 Before June 1, 2016 On or between March 15, 2018 and September 12, 2018 Any time March 15, 2018
3 Before June 1, 2016 On or after September 13, 2018 December 1, 2017 March 15, 2018
4 On or after June 1, 2016 On or after September 13, 2018 December 1, 2017 September 13, 2018

 


Please perform the following steps to generate a report to identify impacted certificates if you are a Symantec Trust Center (STC) customer of if you are a Symantec Trust Center Enterprise (STCE) customer.

Instructions for Symantec Trust Center (STC)
Instructions for Symantec Trust Center Enterprise (STCE)
 

 

Instructions for Symantec Trust Center (STC)

Step 1:  Identify Certificates to be Replaced

  1. Access and login to the Symantec Trust Center (STC)
  2. Click on Expires to re-organize the certificate list by expiration date.
  3. Refer to the Cases listed above to determine which certificates are needed for replacement.
    Note:  Ignore all Code Signing certificates as they are not at risk.

Step 2:  Replace the Certificates Identified from Step 1

Additional information can be found in the Knowledge Base article entitled Replace an SSL Certificate from Symantec Trust Center account.
 

 

Instructions for Symantec Trust Center Enterprise (STCE)

Step 1: Generate report

  1. Access the Symantec Trust Center Enterprise (STCE)
  2. From Common Tasks on the right-hand side, click Generate a new report
  3. Select a Report type (Detail is the default)
  4. Select a File format (Excel will allow you to sort by the columns)
  5. Enter a Date range (Start date should be earlier than 01/01/2014)
  6. Select All organizations
  7. Select All Certificate types
  8. Select Valid Certificate Status
  9. Make sure that “Validity start date”, "Validity end date” and “Server platform” are included in the report, along with any other data that will help you identify certificates.
  10. Click Generate

 

Step 2: Identify the certificates that are at risk

  1. Open the report
  2. Impacted certificates for case 2:
  3. Sort by “Validity Start Date” to see the certificates issued before June 1, 2016
  4. Sort by “Validity End Date” to see the certificates expiring on or between March 15, 2018 and September 12, 2018
  5. Impacted certificates for case 3:
  6. Sort by “Validity Start Date” to see the certificates issued before June 1, 2016
  7. Sort by “Validity End Date” to see the certificates expiring on or after September 13, 2018
  8. Impacted certificates for case 4:
  9. Sort by “Validity Start Date” to see the certificates issued on or after June 1, 2016
  10. Sort by “Validity End Date” to see the certificates expiring on or after September 13, 2018

 

Step 3: Replace the certificates identified in Step 2

Additional information can be found in the Knowledge Base article entitled Replace SSL certificate within Symantec Trust Center Enterprise.