Ask a Question

Alert ID : ALERT2562

Last Modified : 10/16/2018

Reissue Certificates before Distrust Deadlines

URGENT

Description

Chrome 70 is live as of 10-16-2018.  Distrust errors may not be displayed immediately as distrust is done in stages and independent of Chrome reelease dates. Please reference the following for more information,
https://sites.google.com/a/chromium.org/dev/Home/chromium-security/symantec-legacy-pki


All SSL/TLS certificates issued from the Symantec infrastructure (before December 1, 2017) will require re-issuance to ensure continuity for your customers. This includes all brands in the Symantec family – Symantec. Thawte, GeoTrust and RapidSSL. It is strongly advised to reissue certificates as soon as possible to avoid risk or delays. Refer to our ongoing outreach for details about which certificates will be impacted, or contact your account manager now. We will replace all affected certificates at no cost to you, . Since certificates issued from the DigiCert root hierarchy are not impacted by these deadlines, you can continue to order and manage new certificates. 


**Update**
Apple announced they will be distrusting SSL/TLS certificates issued from Symantec’s legacy root certificates, which includes the Thawte, GeoTrust, and RapidSSL brands. We have  given guidance on replacing these certificates for compatibility with Google Chrome and Mozilla Firefox. This new announcement from Apple imposes later deadlines, and does not require any additional action if you have already followed our previous guidance.

Apple’s newly announced distrust will occur in two stages. For simplicity, neither stage requires you to make any changes to the existing migration plan needed for compatibility with Chrome and other browsers. If you have already replaced your certificates, you do not need to replace them again. Once you have installed SSL certificates that are issued from DigiCert roots, you will be compliant with all browsers.

Apple's announcement does not require you to make any changes to the existing migration plan needed for compatibility with Chrome and other browsers. Continue to follow our guidance on meeting the Chrome timelines and your reissued certificates will work with all browsers. The only certificates to be distrusted by Apple this summer are those that you should have already replaced to comply with Chrome 66 requirements.

Apple advisory: https://support.apple.com/en-hk/HT208860
Our blog: https://www.digicert.com/blog/our-latest-symantec-distrust-guidance-apple/
 

Workaround

You can use our simple web-based tool to check whether any domain has a GeoTrust, RapidSSL, Symantec, or Thawte certificate and needs action related to upcoming releases of Google Chrome. The upcoming deadline for Chrome 66 distrust is approaching quickly, so we recommend taking action as soon as possible on any affected certificates.

https://www.websecurity.symantec.com/support/ssl-checker

Action Required

For certificates that require replacement, please submit for a free replacement ahead of the distrust dates mentioned above.

 

Resolution

Please use the links below to find instructions for each of the different platforms.

 

Brand Account Link
Symantec Symantec Trust Center (STC) Replacement Instructions
Symantec Trust Center Enterprise (STCE) Replacement Instructions
Managed PKI for SSL (MPKI SSL) Replacement Instructions
Reseller End User Portal Replacement Instructions
 
GeoTrust GeoTrust Security Center (GSC) Replacement Instructions
GeoTrust Security Center Enterprise (GSCE) Replacement Instructions
Reseller End User Portal Replacement Instructions
 
RapidSSL Reatail Security Center (RSC) Replacement Instructions
Reseller End User Portal Replacement Instructions
 
Thawte Thawte Certificate Center (TCC) Replacement Instructions
Thawte Certificate Center Enterprise (TCCE) Replacement Instructions
Reseller End User Portal Replacement Instructions