Over the coming months, DigiCert will transition issuance of S/MIME and/or Client Authentication certificates in DigiCert PKI Platform 7/8 from legacy Symantec roots to DigiCert public trusted roots.
This initiative supports the request by root program owners to phase out the use of legacy roots previously owned by Symantec (VeriSign, Thawte, GeoTrust and Symantec Root CAs), and consolidate the number of trusted roots that DigiCert owns.
This transition impacts only Managed PKI customers who make use of publicly trusted certificates, typically including S/MIME and/or Client Authentication certificates.
In working with both our customers and root program owners we are extending the original December 31, 2018 root deprecation date to a phased timeline that best meets transition requirements while minimizing customer impact.
Proposed root/ICA deprecation timeline:
June 30, 2019
December 31, 2019
December 31, 2020
March 31, 2023
**Microsoft & Mozilla only
Impact to email clients on Apple OS devices:
On a future date, Apple intends to completely remove legacy Symantec roots off their root store.
Users can continue to read e-mails signed and encrypted with legacy Symantec roots, but their e-mail client will show a warning indicator (unable to verify message signature).
Apple is planning to remove the following roots from their root store in February release, 2021:
Apple is planning to remove the following roots from their root store on January 31, 2022:
Impact to email clients on Microsoft OS devices:
Currently there is no migration date until we finalize our root transition plan.
Microsoft, however, is allowing legacy Symantec S/MIME and/or Client Authentication certificates expire naturally.
All certificates issued up to the root deprecation date will continue to function without impact for Microsoft-based e-mail clients and OS.
To better prepare you, our customer, for the ICA root transition, and solidify migration timelines, we are providing below a list of affected legacy Symantec roots and potential impact by root store, email client and operating systems (OS):
Legacy Symantec roots to be deprecated:
DigiCert target roots planned for future hierarchy (moving to this root hierarchy):
|New DigiCert Root CA Hierarchies|
|Root||Issuing CA (ICA)||End Entity (EE)|
|DigiCert Assured ID Root G2||DigiCert PKI Platform C2 Shared SMIME Individual Subscriber CA||RSA Certificate|
|DigiCert PKI Platform Class 3 Shared SMIME Organization CA||RSA Certificate|
|<Customer Co-branded Public CA with RSA>||RSA Certificate|
|DigiCert Assured ID Root G3||<Customer Co-branded Public CA with ECC>||ECC Certificate|
Why is this happening? Is this related to Symantec’s certificate distrust?
No. This initiative is part of our work to meet relevant browser and industry timing requirements, which includes:
Migrating customers from Symantec roots (which we acquired) to DigiCert roots.
Consolidating the number of roots that are included in the root program owners’ trust store to a manageable number, per their request.
Conduct an impact assessment of the impacted certificates using the list of legacy Symantec roots above. Considerations include:
For ALL customers, regardless of product:
What is your use-case for a ‘public’ certificate? E.g. secure email (S/MIME), client authentication, code signing issued from a public trusted root?
How many of your certificates on your PKI account, issued from a public trusted root, are still valid?
Are there any ICAs hard pinned into devices, and if so, which ones?
Are there any dependencies that may impact your stakeholders, and if so, what are they?
Can you complete your migration to a new DigiCert root by December 31, 2018? If not, how many additional days will you require?
To mitigate the impact to your certificate migration to a DigiCert public root, we recommend issuing 6-month certificates until you have completed the migration. Can you limit your newly issued certificate validity period to 6 months?
Are there additional challenges to a timely migration beyond what is stated?
Have you deployed Local Hosting (LH) and/or Registration Authority (RA) components or are making use of the Remote Hosted site kit?
Have you customized any of the above components?
Have you had any custom certificate profiles configured by our operations team? i.e. End-Entity Certificate Profile (EECP)?
Have you integrated your Shared MPKI 8.x ICAs solution with any third-party software or internal enterprise?
Have you deployed the PKI Enterprise Gateway and/or PKI Autoenrollment service?
Do you make use of PKI Client enrolment method? If so, have you deployed any PKI Client Post-Processing scripts?
What certificate template(s) have you deployed to issue ‘public’ certificates? E.g. Secure Email, S/MIME (Digital Signature only), S/MIME (Encryption only), Client Authentication.
Have you integrated your MPKI 8.x solution with any third-party software? E.g. MDM vendor.
What happens to my existing e-mail?
Nothing will happen to your existing e-mail. They will continue to exist in your inbox, though depending on OS, warning indicators for previously secured/signed e-mails may appear.
Is client authentication impacted by root deprecation?
There are multiple options for establishing that a client certificate should be trusted for an authentication. Client certificate authentication based on a trusted root or trusted issuing CA is configured on the server which a client is connecting to. Whether your client authentication will be affected by the root deprecation depends upon your ability to configure the root store which is used to determine if a client certificate is trusted.
If you can ensure that the current root or ICA will not be removed from the trusted root store configuration on the server then your client authentication will not be affected by the root deprecation.
How do we transition to this new ICA
DigiCert PKI Platform 7
DigiCert PKI Platform 8
We will provide migration instructions on this page later. Customers can also reach out to Sales Engineer or their respective Account Manager for assistance.