Ask a Question

Advanced Search

Alert ID : AL230221144614

Last Modified : 08/27/2021

Symantec Root Removal

Description

Symantec Legacy Root Distrust Dates

Since DigiCert acquired Symantec’s Website Security and Related PKI Solutions, we have been working fervently with thousands of customers and site administrators to help maintain system operability and avoid downtime due to impacted certificates.

To better understand distrust, it is important to remember that various browsers and platforms use independent trust stores. This results in differing dates for distrusted certificates depending on what Root Program the system is utilizing.

This page will periodically be updated with the latest information and certificate chain details as it becomes available. We invite you to bookmark this page and use it for reference whenever needed.

 

Please Note: This table is provided as a reference, however we encourage the independent verification of the data when planning an impact analysis for your organization.

 

The reference table below will help you determine impact and resolution options for the impacted certificate chains:

Platform

Root

Serial Number

Product

Distrust Date

Mozilla Firefox

 

VeriSign Class 3 Public Primary Certification Authority - G5

18DAD19E267DE8BB4A2158CDCC6B3B4A

TLS / SSL

December 11, 2018

VeriSign Class 3 Public Primary Certification Authority - G4

2F80FE238C0E220F486712289187ACB3

TLS / SSL

December 11, 2018

GeoTrust Primary Certification Authority

18ACB56AFD69B6153A636CAFDAFAC4A1

TLS / SSL

December 11, 2018

GeoTrust Global CA

023456

TLS / SSL

December 11, 2018

GeoTrust Universal CA

01

TLS / SSL

December 11, 2018

GeoTrust Universal CA 2

01

TLS /SSL

December 11, 2018

VeriSign Universal Root Certification Authority

401AC46421B31321030EBBE4121AC51D

TLS / SSL

August 2022

Client (S/MIME)

March 2021

VeriSign Class 1 Public Primary Certification Authority - G3

008B5B75568454850B00CFAF3848CEB1A4

Client (S/MIME)

August 30, 2022

VeriSign Class 2 Public Primary Certification Authority - G3

6170CB498C5F984529E7B0A6D9505B7A

 

Client (S/MIME)

August 30, 2022

Symantec Class 1 Public Primary Certification Authority - G4

216E33A5CBD388A46F2907B4273CC4D8

Client (S/MIME)

August 30, 2022

Symantec Class 2 Public Primary Certification Authority - G4

 

34176512403BB756802D80CB7955A61E

Client (S/MIME)

August 30, 2022

Symantec Class 1 Public Primary Certification Authority - G6

243275F21D2FD20933F7B46ACAD0F398

Client (S/MIME)

August 30, 2022

Symantec Class 2 Public Primary Certification Authority - G6

64829EFC371E745DFC97FF97C8B1FF41

Client (S/MIME)

August 30, 2022

VeriSign Class 3 Public Primary Certification Authority - G3

009B7E0649A33E62B9D5EE90487129EF57

TLS / Client (S/MIME)

Dec 14, 2020

Oracle Opera / JAVA

GeoTrust Global CA

023456

TLS / SSL

April 16, 2019

Code Signing

 

GeoTrust Primary Certification Authority

18ACB56AFD69B6153A636CAFDAFAC4A1

TLS / SSL

April 16, 2019

Code Signing

 

GeoTrust Primary Certification Authority - G2

3CB2F4480A00E2FEEB243B5E603EC36B

TLS / SSL

April 16, 2019

Code Signing

 

GeoTrust Primary Certification Authority - G3

15AC6E9419B2794B41F627A9C3180F1F

TLS / SSL

April 16, 2019

Code Signing

 

GeoTrust Universal CA

01

TLS / SSL

April 16, 2019

Code Signing

 

thawte Primary Root CA

344ED55720D5EDEC49F42FCE37DB2B6D

TLS / SSL

April 16, 2019

Code Signing

 

thawte Primary Root CA - G2

35FC265CD9844FC93D263D579BAED756

TLS / SSL

April 16, 2019

Code Signing

 

thawte Primary Root CA - G3

600197B746A7EAB4B49AD64B2FF790FB

TLS / SSL

April 16, 2019

Code Signing

 

thawte Premium Server CA

01

TLS / SSL

April 16, 2019

Code Signing

 

VeriSign Universal Root Certification Authority

401AC46421B31321030EBBE4121AC51D

Client (S/MIME)

March 31, 2023

Code Signing

 

Apple

 

VeriSign Class 3 Public Primary Certification Authority - G4

2F80FE238C0E220F486712289187ACB3

TLS / SSL

July 20, 2018

VeriSign Class 3 Public Primary Certification Authority - G5

18DAD19E267DE8BB4A2158CDCC6B3B4A

TLS /SSL

July 20, 2018

Code Signing September 2, 2021

Symantec Class 3 Public Primary Certification Authority - G4

4C79B59A289C763164F58944D09102DE

TLS / SSL

July 20, 2018

Symantec Class 3 Public Primary Certification Authority - G6

65637185D36F45C68F7F31F909879282

TLS / SSL

July 20, 2018

GeoTrust Global CA

023456

TLS / SSL

July 20, 2018

Client (S/MIME)

September 2, 2021

VeriSign Class 1 Public Primary Certification Authority - G3

008B5B75568454850B00CFAF3848CEB1A4

Client (S/MIME)

Q1 2023

VeriSign Class 2 Public Primary Certification Authority - G3

6170CB498C5F984529E7B0A6D9505B7A

Client (S/MIME)

Q1 2023

VeriSign Universal Root Certification Authority

401AC46421B31321030EBBE4121AC51D

Client (S/MIME)

March 31, 2023

thawte Primary Root CA

344ED55720D5EDEC49F42FCE37DB2B6D

TLS / SSL

July 20, 2018

Client (S/MIME)

September 2, 2021

Code Signing September 2, 2021

GeoTrust Primary Certification Authority

18ACB56AFD69B6153A636CAFDAFAC4A1

TLS / SSL

July 20, 2018

Client (S/MIME)

September 2, 2021

thawte Primary Root CA - G2

35FC265CD9844FC93D263D579BAED756

TLS / SSL

July 20, 2018

Client (S/MIME)

April 2021

thawte Primary Root CA - G3

600197B746A7EAB4B49AD64B2FF790FB

TLS / SSL

July 20, 2018

Client (S/MIME)

September 2, 2021

Code Signing September 2, 2021

GeoTrust Primary Certification Authority - G2

3CB2F4480A00E2FEEB243B5E603EC36B

TLS / SSL

July 20, 2018

Client (S/MIME)

September 2, 2021

GeoTrust Primary Certification Authority - G3

15AC6E9419B2794B41F627A9C3180F1F

TLS / SSL

July 20, 2018

Client (S/MIME)

September 2, 2021

Symantec Class 1 Public Primary Certification Authority - G4

216E33A5CBD388A46F2907B4273CC4D8

Client (S/MIME)

Q1 2023

Symantec Class 1 Public Primary Certification Authority - G6

243275F21D2FD20933F7B46ACAD0F398

Client (S/MIME)

Q1 2023

Symantec Class 2 Public Primary Certification Authority - G4

34176512403BB756802D80CB7955A61E

Client (S/MIME)

Q1 2023

Symantec Class 2 Public Primary Certification Authority - G6

64829EFC371E745DFC97FF97C8B1FF41

Client (S/MIME)

Q1 2023

VeriSign Class 3 Public Primary Certification Authority - G3

009B7E0649A33E62B9D5EE90487129EF57

TLS/ SSL / Client (S/MIME)

September 2, 2021

Microsoft IE

 

Symantec Class 3 Public Primary Certification Authority - G6

65637185D36F45C68F7F31F909879282

TLS / SSL /Client

September 30, 2018

CodeSigning

Feb 23, 2021

Symantec Class 3 Public Primary Certification Authority - G4

4C79B59A289C763164F58944D09102DE

TLS / SSL

January 31, 2019

VeriSign Class 3 Public Primary Certification Authority - G4

2F80FE238C0E220F486712289187ACB3

TLS / SSL

January 31, 2019

VeriSign Class 3 Public Primary Certification Authority - G5

18DAD19E267DE8BB4A2158CDCC6B3B4A

TLS / SSL

May 21, 2019

thawte Primary Root CA - G2

35FC265CD9844FC93D263D579BAED756

TLS / SSL

September 30, 2018

Client (S/MIME)

Feb 23, 2021

GeoTrust Primary Certification Authority - G2

3CB2F4480A00E2FEEB243B5E603EC36B

TLS / SSL

January 1, 2020

VeriSign Universal Root Certification Authority

401AC46421B31321030EBBE4121AC51D

TLS / SSL

May 21, 2019

Client (S/MIME)

March 31, 2023

thawte Primary Root CA - G3

600197B746A7EAB4B49AD64B2FF790FB

TLS / SSL

May 21, 2019

Client (S/MIME)

Feb 23, 2021

GeoTrust Primary Certification Authority - G3

15AC6E9419B2794B41F627A9C3180F1F

TLS / SSL

May 21, 2019

Client (S/MIME)

Feb 23, 2021

GeoTrust Primary Certification Authority

18ACB56AFD69B6153A636CAFDAFAC4A1

TLS / SSL

May 21, 2019

Client (S/MIME)

Feb 23, 2021

thawte Primary Root CA

344ED55720D5EDEC49F42FCE37DB2B6D

TLS / SSL

May 21, 2019

Client (S/MIME)

Feb 23, 2021

GeoTrust Global CA

023456

TLS / SSL

January 1, 2020

Client (S/MIME)

Feb 23, 2021

GeoTrust Universal CA

1

TLS / SSL

September 30, 2018

Client (S/MIME)

Feb 23, 2021

Verisign Class 1 Public Primary Certification Authority - G3

008B5B75568454850B00CFAF3848CEB1A4

Client (S/MIME)

March, 2023

Code Signing

April 1, 2021

Verisign Class 2 Public Primary Certification Authority - G3

6170CB498C5F984529E7B0A6D9505B7A

Client (S/MIME)

March, 2023

Code Signing

Feb 23, 2021

Symantec Class 2 Public Primary Certification Authority - G4

34176512403BB756802D80CB7955A61E

Client (S/MIME)

March, 2023

Code Signing

Feb 23, 2021

Symantec Class 1 Public Primary Certification Authority - G6

243275F21D2FD20933F7B46ACAD0F398

Client (S/MIME)

March, 2023

Code Signing

April 1, 2021

Symantec Class 2 Public Primary Certification Authority - G6

64829EFC371E745DFC97FF97C8B1FF41

Client (S/MIME)

March, 2023

Code Signing

April 1, 2021

GeoTrust Global CA 2

01

TLS / SSL

August 1, 2019

Client (S/MIME)

August 1, 2019

Code Signing

August 1, 2019

VeriSign Class 3 Public Primary Certification Authority - G3

009B7E0649A33E62B9D5EE90487129EF57

Client (S/MIME) / Code Signing

Feb 23, 2021

 

The Root Programs listed here are some of the most ubiquitious, however there are others that may be in use within your organization.

 

Symantec Root Removal | Code Signing

Symantec code signing certificates issued after February 23, 2021, will not be publicly trusted in the Microsoft root store. Certificates issued before that date will be publicly trusted, but when they expire, they must be renewed from DigiCert intermediate CA and root certificate hierarchy.

 

How does this affect me?

If your Symantec code signing certificates were issued before February 23, 2021:

  • We recommend replacing any Symantec or Verisign chained Code certificates with DigiCert based certificates immediately.
  • If you pinned the Symantec ICA or hardcoded acceptance of the Symantec ICA, you need to update your environment as soon as possible.
    • Stop pinning and hardcoding ICAs (recommended).
    • Or make changes to ensure your code signing certificates issued from the DigiCert ICA are trusted.

 

If your Symantec code signing certificates were issued after February 23, 2021:

  • These certificates will not be publicly trusted.
  • You should reissue these code signing certificates from trusted DigiCert intermediate CAs (ICAs) and root certificates hierarchy as soon as possible.
  • Once you have a DigiCert chained Code Signing certificate, you should resign your applications to ensure ongoing trust.
  • If you pinned the Symantec / VeriSign ICA or hardcoded acceptance of the Symantec / VeriSign ICA, you need to update your environment as soon as possible.
    • Stop pinning and hardcoding ICAs (recommended).
    • Or make changes to ensure your code signing certificates issued from the DigiCert ICA are trusted.

 

Why is this happening?

Legacy Symantec root certificates are being removed from most browsers, meaning certificates issued from those roots are no longer publicly trusted. 

 

Microsoft is not removing the root certificates, but they are implementing a “not before” date for trust—meaning that certificates that link to the root and were issued before that date will remain publicly trusted, but those linking to the root and issued after that date will not be trusted.

 

On September 2, 2021, Apple will distrust 9 legacy Symantec root certificates, previously scheduled to be distrusted in April 2021. Root distrust means all certificates issued from these roots and all objects signed from those certificates will no longer be trusted on macOS and iOS.

 

We apologize for any inconvenience. If you have additional questions, please contact your account manager or our support team