Ask a Question

Alert ID : ALERT2562

Reissue Certificates before Distrust Deadlines

URGENT

Description

Many SSL/TLS certificates issued from the Symantec infrastructure will require re-issuance by certain deadlines to ensure continuity for your customers. Some certificates need attention immediately. Some can wait. The first deadline is 15 March 2018, which impacts only certificates issued before 1 June 2016 and expiring on/after 15 March 2018; it is strongly advised to reissue certificates within these dates as soon as possible to avoid risk or delays. Refer to our ongoing outreach for details about which certificates will be impacted by the upcoming deadline, or contact your account manager now. In advance of the remaining deadlines, we will continue outreach to you to specify which certificates are affected and when they need to be reissued. We will replace all affected certificates at no cost to you. Since certificates issued from the DigiCert root hierarchy are not impacted by these deadlines, you can continue to order and manage new certificates. Learn more.


**Update**
Apple announced they will be distrusting SSL/TLS certificates issued from Symantec’s legacy root certificates, which includes the Thawte, GeoTrust, and RapidSSL brands. We have  given guidance on replacing these certificates for compatibility with Google Chrome and Mozilla Firefox. This new announcement from Apple imposes later deadlines, and does not require any additional action if you have already followed our previous guidance.

Apple’s newly announced distrust will occur in two stages. For simplicity, neither stage requires you to make any changes to the existing migration plan needed for compatibility with Chrome and other browsers. If you have already replaced your certificates, you do not need to replace them again. Once you have installed SSL certificates that are issued from DigiCert roots, you will be compliant with all browsers.

Apple's announcement does not require you to make any changes to the existing migration plan needed for compatibility with Chrome and other browsers. Continue to follow our guidance on meeting the Chrome timelines and your reissued certificates will work with all browsers. The only certificates to be distrusted by Apple this summer are those that you should have already replaced to comply with Chrome 66 requirements.

Apple advisory: https://support.apple.com/en-hk/HT208860
Our blog: https://www.digicert.com/blog/our-latest-symantec-distrust-guidance-apple/
 

Status

Browser community distrust plan

Browser Version released Action
Google 65

Beta: February 1st, 2018
Stable: March 6th, 2018

Distrusts the Symantec certs issued after Dec 1 2017
66 Beta: March 15th, 2018
Stable: April 17th, 2018
Distrusts the Symantec certs issued before Jun 1 2016
70 Beta: September 15th, 2018
Stable: October 16th, 2018
Distrusts all certs signed with Symantec hierarchy
 
Firefox 60

Beta: March 13th, 2018
Stable: May 9th, 2018

Distrusts the Symantec certs issued before Jun 1 2016
63 Beta: June 26th, 2018
Stable: October 16th, 2018
Distrusts all certs signed with Symantec hierarchy
 
Microsoft TBD    
 
Apple TBD    

Workaround

You can use our simple web-based tool to check whether any domain has a GeoTrust, RapidSSL, Symantec, or Thawte certificate and needs action related to upcoming releases of Google Chrome. The upcoming deadline for Chrome 66 distrust is approaching quickly, so we recommend taking action as soon as possible on any affected certificates.

https://www.websecurity.symantec.com/support/ssl-checker

Action Required

For certificates that require replacement, please submit for a free replacement ahead of the distrust dates mentioned above.

 

Resolution

Please use the links below to find instructions for each of the different platforms.

 

Brand Account Link
Symantec Symantec Trust Center (STC) Replacement Instructions
Symantec Trust Center Enterprise (STCE) Replacement Instructions
Managed PKI for SSL (MPKI SSL) Replacement Instructions
Reseller End User Portal Replacement Instructions
 
GeoTrust GeoTrust Security Center (GSC) Replacement Instructions
GeoTrust Security Center Enterprise (GSCE) Replacement Instructions
Reseller End User Portal Replacement Instructions
 
RapidSSL Reatail Security Center (RSC) Replacement Instructions
Reseller End User Portal Replacement Instructions
 
Thawte Thawte Certificate Center (TCC) Replacement Instructions
Thawte Certificate Center Enterprise (TCCE) Replacement Instructions
Reseller End User Portal Replacement Instructions