Ask a Question

Alert ID : ALERT2530

INFORMATIONAL: CWS and Managed PKI for SSL - Identify Certificates Impacted by Potential Chrome Distrust

INFORMATION

Description

Browsers have plans to remove trust of all legacy Symantec SSL/TLS certificates issued under the Symantec infrastructure. Websites secured with these legacy Symantec SSL/TLS certificates trigger security warnings in browsers and application relying on its root store.:

 

More detail from Google. Mozilla, and Apple:

Google security blog
https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html

Mozilla security blog
https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates

Apple information about distrusting Symantec certificate authorities
https://support.apple.com/en-hk/HT208860

DigiCert blog
https://www.digicert.com/blog/our-latest-symantec-distrust-guidance-apple/


Symantec TLS/SSL certificates affected by browser distrust are based on their issuance date. Refer to this table and check your certificate inventory for certificates at risk of potential distrust.
 



Note
:

  • Apple distrust plan will affect not only browser but also applications you can download through the App store such as banking apps.
  • Root update will be in effect for iOS 11 and Mac OS Sierra.
  • Managed PKI for SSL and Complete Website Security (CWS) did not support no CT logging option between 6/1/2016 and 12/1/2017. All CT opt-out certs between them were logged with Root domain name.

 

Also distrusted - Certificates issued from the legacy Symantec root hierarchy on or after December 1, 2017
For uninterrupted business continuity, some Managed PKI for SSL customers continue to issue certificates from the legacy Symantec root hierarchy after the December 1, 2017 switch to the DigiCert hierarchy. These certificates are already distrusted by Google Chrome and will be distrusted by Apple on July 20, 2018. Other browser vendors have not yet announced distrust plans.
 

To identtify impacted certificates:

Complete Website Security: Find certificates impacted by potential Chrome distrust

Managed PKI for SSL: Generate a real-time report to identify certificates impacted by potential Chrome mistrust