Description

Many SSL/TLS certificates issued from the Symantec infrastructure will require re-issuance by certain deadlines to ensure continuity for your customers. Some certificates need attention immediately. Some can wait. The first deadline is 15 March 2018, which impacts only certificates issued before 1 June 2016 and expiring on/after 15 March 2018; it is strongly advised to reissue certificates within these dates as soon as possible to avoid risk or delays. Refer to our ongoing outreach for details about which certificates will be impacted by the upcoming deadline, or contact your account manager now. In advance of the remaining deadlines, we will continue outreach to you to specify which certificates are affected and when they need to be reissued. We will replace all affected certificates at no cost to you. Since certificates issued from the DigiCert root hierarchy are not impacted by these deadlines, you can continue to order and manage new certificates. Learn more.

**Update**
Apple announced they will be distrusting SSL/TLS certificates issued from Symantec’s legacy root certificates, which includes the Thawte, GeoTrust, and RapidSSL brands. We have  given guidance on replacing these certificates for compatibility with Google Chrome and Mozilla Firefox. This new announcement from Apple imposes later deadlines, and does not require any additional action if you have already followed our previous guidance.

Apple’s newly announced distrust will occur in two stages. For simplicity, neither stage requires you to make any changes to the existing migration plan needed for compatibility with Chrome and other browsers. If you have already replaced your certificates, you do not need to replace them again. Once you have installed SSL certificates that are issued from DigiCert roots, you will be compliant with all browsers.

Apple's announcement does not require you to make any changes to the existing migration plan needed for compatibility with Chrome and other browsers. Continue to follow our guidance on meeting the Chrome timelines and your reissued certificates will work with all browsers. The only certificates to be distrusted by Apple this summer are those that you should have already replaced to comply with Chrome 66 requirements.

Apple advisory: https://support.apple.com/en-hk/HT208860
Our blog: https://www.digicert.com/blog/our-latest-symantec-distrust-guidance-apple/
 

Status

Browser community distrust plan

Workaround

You can use our simple web-based tool to check whether any domain has a GeoTrust, RapidSSL, Symantec, or Thawte certificate and needs action related to upcoming releases of Google Chrome. The upcoming deadline for Chrome 66 distrust is approaching quickly, so we recommend taking action as soon as possible on any affected certificates.

https://www.websecurity.symantec.com/support/ssl-checker

Action Required

For certificates that require replacement, please submit for a free replacement ahead of the distrust dates mentioned above.

Resolution

Please use the links below to find instructions for each of the different platforms.