Ask a Question

Alert ID : AL310518204220

Chrome 70 - Replace Certificates before Distrust Deadlines

warning

Description

Many SSL/TLS certificates issued from the Symantec infrastructure will require re-issuance by certain deadlines to ensure continuity for your customers. On or around September 13, 2018, a Chrome 70 beta release will distrust all Symantec SSL/TLS certificates issued between June 1, 2016 (and before December 1, 2017).

Google plans to release the public version mid-October 2018; it is strongly advised to reissue certificates within these dates as soon as possible to avoid risk or delays. 

Refer to our ongoing outreach for details about which certificates will be impacted by the upcoming deadline, or contact your account manager now. In advance of the remaining deadlines, we will continue outreach to you to specify which certificates are affected and when they need to be reissued. We will replace all affected certificates at no cost to you. Since certificates issued from the DigiCert root hierarchy are not impacted by these deadlines, you can continue to order and manage new certificates. Learn more

**Update**
Apple announced they will be distrusting SSL/TLS certificates issued from Symantec’s legacy root certificates, which includes the Thawte, GeoTrust, and RapidSSL brands. We have  given guidance on replacing these certificates for compatibility with Google Chrome and Mozilla Firefox. This new announcement from Apple imposes later deadlines, and does not require any additional action if you have already followed our previous guidance.

Apple’s newly announced distrust will occur in two stages. For simplicity, neither stage requires you to make any changes to the existing migration plan needed for compatibility with Chrome and other browsers. If you have already replaced your certificates, you do not need to replace them again. Once you have installed SSL certificates that are issued from DigiCert roots, you will be compliant with all browsers.

Apple's announcement does not require you to make any changes to the existing migration plan needed for compatibility with Chrome and other browsers. Continue to follow our guidance on meeting the Chrome timelines and your reissued certificates will work with all browsers. The only certificates to be distrusted by Apple this summer are those that you should have already replaced to comply with Chrome 66 requirements.

Apple advisory: https://support.apple.com/en-hk/HT208860
Our blog: https://www.digicert.com/blog/our-latest-symantec-distrust-guidance-apple/

 

A website that has a Symantec SSL/TLS certificate issued between June 1, 2016 and December 1, 2017 will display the below error when accessed via Chrome 70 beta:

NET::ERR_CERT_SYMANTEC_LEGACY

 

Browser community distrust plan:
 

 

You can use our simple web-based tool to check whether any domain has a GeoTrust, RapidSSL, Symantec, or Thawte certificate and needs action related to upcoming releases of Google Chrome. The upcoming deadline for Chrome 70 distrust is approaching quickly, so we recommend taking action as soon as possible on any affected certificates.

https://www.digicert.com/help/

For certificates that require replacement, please submit for a free replacement ahead of the distrust date mentioned above.

 

Please use the links below to find instructions for each of the different platforms:
 

Brand Account Link
Symantec Symantec Trust Center (STC) Replacement Instructions
Symantec Trust Center Enterprise (STCE) Replacement Instructions
Managed PKI for SSL (MPKI SSL) Replacement Instructions
Reseller End User Portal Replacement Instructions
 
GeoTrust GeoTrust Security Center (GSC) Replacement Instructions
GeoTrust Security Center Enterprise (GSCE) Replacement Instructions
Reseller End User Portal Replacement Instructions
 
RapidSSL Reatail Security Center (RSC) Replacement Instructions
Reseller End User Portal Replacement Instructions
 
Thawte Thawte Certificate Center (TCC) Replacement Instructions
Thawte Certificate Center Enterprise (TCCE) Replacement Instructions
Reseller End User Portal Replacement Instructions