Alert ID : ALERT2562
Last Modified : 10/16/2018
URGENT
Chrome 70 is live as of 10-16-2018. Distrust errors may not be displayed immediately as distrust is done in stages and independent of Chrome reelease dates. Please reference the following for more information,
https://sites.google.com/a/chromium.org/dev/Home/chromium-security/symantec-legacy-pki
All SSL/TLS certificates issued from the Symantec infrastructure (before December 1, 2017) will require re-issuance to ensure continuity for your customers. This includes all brands in the Symantec family – Symantec. Thawte, GeoTrust and RapidSSL. It is strongly advised to reissue certificates as soon as possible to avoid risk or delays. Refer to our ongoing outreach for details about which certificates will be impacted, or contact your account manager now. We will replace all affected certificates at no cost to you, . Since certificates issued from the DigiCert root hierarchy are not impacted by these deadlines, you can continue to order and manage new certificates.
**Update**
Apple announced they will be distrusting SSL/TLS certificates issued from Symantec’s legacy root certificates, which includes the Thawte, GeoTrust, and RapidSSL brands. We have given guidance on replacing these certificates for compatibility with Google Chrome and Mozilla Firefox. This new announcement from Apple imposes later deadlines, and does not require any additional action if you have already followed our previous guidance.
Apple’s newly announced distrust will occur in two stages. For simplicity, neither stage requires you to make any changes to the existing migration plan needed for compatibility with Chrome and other browsers. If you have already replaced your certificates, you do not need to replace them again. Once you have installed SSL certificates that are issued from DigiCert roots, you will be compliant with all browsers.
Apple's announcement does not require you to make any changes to the existing migration plan needed for compatibility with Chrome and other browsers. Continue to follow our guidance on meeting the Chrome timelines and your reissued certificates will work with all browsers. The only certificates to be distrusted by Apple this summer are those that you should have already replaced to comply with Chrome 66 requirements.
Apple advisory: https://support.apple.com/en-hk/HT208860
Our blog: https://www.digicert.com/blog/our-latest-symantec-distrust-guidance-apple/
You can use our simple web-based tool to check whether any domain has a GeoTrust, RapidSSL, Symantec, or Thawte certificate and needs action related to upcoming releases of Google Chrome. The upcoming deadline for Chrome 66 distrust is approaching quickly, so we recommend taking action as soon as possible on any affected certificates.
For certificates that require replacement, please submit for a free replacement ahead of the distrust dates mentioned above.
Please use the links below to find instructions for each of the different platforms.
| Brand | Account | Link |
|---|---|---|
| Symantec | Symantec Trust Center (STC) | Replacement Instructions |
| Symantec Trust Center Enterprise (STCE) | Replacement Instructions | |
| Managed PKI for SSL (MPKI SSL) | Replacement Instructions | |
| Reseller End User Portal | Replacement Instructions | |
| GeoTrust | GeoTrust Security Center (GSC) | Replacement Instructions |
| GeoTrust Security Center Enterprise (GSCE) | Replacement Instructions | |
| Reseller End User Portal | Replacement Instructions | |
| RapidSSL | Reatail Security Center (RSC) | Replacement Instructions |
| Reseller End User Portal | Replacement Instructions | |
| Thawte | Thawte Certificate Center (TCC) | Replacement Instructions |
| Thawte Certificate Center Enterprise (TCCE) | Replacement Instructions | |
| Reseller End User Portal | Replacement Instructions | |
