Ask a Question

Advanced Search

Alert ID : INFO4565

Last Modified : 05/03/2018

Generate a real-time report to identify certificates impacted by potential Chrome distrust

Description

On September 11, 2017, Google posted a blog titled Chrome’s Plan to Distrust Symantec Certificates.
One aspect of Google’s proposal is that starting March 15, 2018, Chrome 66 will distrust Symantec certificates issued prior to June 1, 2016. Chrome 70 will eventually distrust all Symantec certificates issued under the current Symantec Web PKI hierarchy (root and intermediate CAs).
 




As of December 1, 2017, Symantec issues all public SSL/TLS certificates from the new DigiCert hierarchy, which will continue to be trusted by Google Chrome. Replace your at-risk certificates and intermediate CAs so your website visitors continue to have a trusted, uninterrupted experience.

 

Replace these certificates based on the Chrome release schedule:

Case 1: For Symantec certificates issued prior to June 1, 2016 and expiring before March 15, 2018, there is no action required.

Case 2: For Symantec certificates issued prior to June 1, 2016 and expiring on or after March 15, 2018 and before September 13, 2018, replace them by March 15, 2018.

Case 3: For Symantec certificates issued prior to June 1, 2016 and expiring on or after September 13, 2018, replace them by March 15, 2018.

Case 4: For Symantec certificates issued on or after June 1, 2016 and expiring on or after September 13, 2018, replace them by September 13, 2018.


To generate a real-time report to identify the impacted certificates:

Step 1: Configure Reports

  1. Access the Managed PKI for SSL Control Center:  https://enterprise-ssl-admin.websecurity.symantec.com
  2. From the top menu, click Configuration
  3. From the list, click Reports
  4. Make sure that “Validity Start Date”, "Validity End Date” and “Server Type” are included in the report


Step 2: Run the real-time report

  1. Click Certificate Management > Real-time Reports
  2. Select a Report Type (Detail is the default)
  3. Select a File Format (Excel will allow you to sort by the columns)
  4. Select the Date Range (Start date should be older than 1/1/2014)
  5. Select the Certificate Status. (Valid certificates should be selected for existing certificates that have been issued
  6. Click Submit

 

Step 3: Identify the certificates that are at risk

  1. Open a real-time report
  2. Exclude “Private SSL” and “Code Signing” products that are not at risk
  3. Impacted certificates for case 2:
    1. Sort by “Validity Start Date” to see the certificates issued prior to June 1, 2016
    2. Sort by “Validity End Date” to see the certificates expiring on or after March 15, 2018 and before September 13, 2018
  4. Impacted certificates for case 3:
    1. Sort by “Validity Start Date” to see the certificates issued prior to June 1, 2016
    2. Sort by “Validity End Date” to see the certificates expiring on or after September 13, 2018
  5. Impacted certificates for case 4:
    1. Sort by “Validity Start Date” to see the certificates issued on or after June 1, 2016
    2. Sort by “Validity End Date” to see the certificates expiring on or after September 13, 2018

 

Step 4: Replace the certificates identified at Step 3

Additional information can be found in the Knowledge Base article titled How to replace a Managed PKI for SSL certificate.