Knowledge Base

Description

Symantec Legacy Root Distrust Dates

Since DigiCert acquired Symantec’s Website Security and Related PKI Solutions, we have been working fervently with thousands of customers and site administrators to help maintain system operability and avoid downtime due to impacted certificates.

To better understand distrust, it is important to remember that various browsers and platforms use independent trust stores. This results in differing dates for distrusted certificates depending on what Root Program the system is utilizing.

This page will periodically be updated with the latest information and certificate chain details as it becomes available. We invite you to bookmark this page and use it for reference whenever needed.

Please Note: This table is provided as a reference, however we encourage the independent verification of the data when planning an impact analysis for your organization.

The reference table below will help you determine impact and resolution options for the impacted certificate chains:

The Root Programs listed here are some of the most ubiquitious, however there are others that may be in use within your organization.

• Microsoft | Internet Explorer
• Apple | Safari
• Mozilla | Firefox
• Oracle | Java / Opera
• Adobe | AATL

Symantec Root Removal | Code Signing

Symantec code signing certificates issued after February 23, 2021, will not be publicly trusted in the Microsoft root store. Certificates issued before that date will be publicly trusted, but when they expire, they must be renewed from DigiCert intermediate CA and root certificate hierarchy.

How does this affect me?

If your Symantec code signing certificates were issued before February 23, 2021:

• We recommend replacing any Symantec or Verisign chained Code certificates with DigiCert based certificates immediately.
• If you pinned the Symantec ICA or hardcoded acceptance of the Symantec ICA, you need to update your environment as soon as possible.
  • Stop pinning and hardcoding ICAs (recommended).
  • Or make changes to ensure your code signing certificates issued from the DigiCert ICA are trusted.
     

If your Symantec code signing certificates were issued after February 23, 2021:

• These certificates will not be publicly trusted.
• You should reissue these code signing certificates from trusted DigiCert intermediate CAs (ICAs) and root certificates hierarchy as soon as possible.
• Once you have a DigiCert chained Code Signing certificate, you should resign your applications to ensure ongoing trust.
• If you pinned the Symantec / VeriSign ICA or hardcoded acceptance of the Symantec / VeriSign ICA, you need to update your environment as soon as possible.
  • Stop pinning and hardcoding ICAs (recommended).
  • Or make changes to ensure your code signing certificates issued from the DigiCert ICA are trusted.
     

Why is this happening?

Legacy Symantec root certificates are being removed from most browsers, meaning certificates issued from those roots are no longer publicly trusted.

Microsoft is not removing the root certificates, but they are implementing a “not before” date for trust—meaning that certificates that link to the root and were issued before that date will remain publicly trusted, but those linking to the root and issued after that date will not be trusted.

On September 2, 2021, Apple will distrust 9 legacy Symantec root certificates, previously scheduled to be distrusted in April 2021. Root distrust means all certificates issued from these roots and all objects signed from those certificates will no longer be trusted on macOS and iOS.

We apologize for any inconvenience. If you have additional questions, please contact your account manager or our support team.