Ask a Question

Alert ID : INFO4570

Last Modified : 05/21/2018

Complete Website Security: Find certificates impacted by potential Chrome distrust

Description

On September 11, 2017, Google posted a blog titled Chrome’s Plan to Distrust Symantec Certificates.
One aspect of Google’s proposal is that starting March 15, 2018, Chrome 66 will distrust Symantec certificates issued prior to June 1, 2016. Chrome 70 will eventually distrust all Symantec certificates issued under the current Symantec Web PKI hierarchy (root and intermediate CAs).
 


 

As of December 1, 2017, Symantec issues all public SSL/TLS certificates from the new DigiCert hierarchy, which will continue to be trusted by Google Chrome. Replace your at-risk certificates and intermediate CAs so your website visitors continue to have a trusted, uninterrupted experience.


Replace these certificates based on the Chrome release schedule:

Case 1: For Symantec certificates issued prior to June 1, 2016 and expiring before March 15, 2018, there is no action required.

Case 2: For Symantec certificates issued prior to June 1, 2016 and expiring on or after March 15, 2018 and before September 13, 2018, replace them by March 15, 2018.

Case 3: For Symantec certificates issued prior to June 1, 2016 and expiring on or after September 13, 2018, replace them by March 15, 2018.

Case 4: For Symantec certificates issued on or after June 1, 2016 and expiring on or after September 13, 2018, replace them by September 13, 2018.


To find and replace certificates impacted by potential Chrome distrust:

Step 1: Configure your certificates view

  1. Sign in to the Complete Website Security dashboard.
  2. In Certificate lifecycle alerts, look for these alerts:
    • Certificates will be distrusted by browsers – replace by March 15, 2018
    • Certificates will be distrusted by browsers – replace by September 13, 2018
  3. Click View for each alert to see the certificates at risk.
  4. Review and prioritize the certificates that you need to replace.
    • Replace any certificate that secures a public-facing website.
    • To save time, you can skip certificates that secure devices, internal domains, or other non-public websites.
      Keep in mind that Chrome will still show warnings to users who visit a website with a distrusted certificate.
  5. Replace high-priority certificates by the deadline:
    • If the certificate belongs to your Complete Website Security account, open the Actions menu and click Replace/Revoke.
    • If the certificate belongs to another account, contact the certificate owner.
  6. Optional: Customize and save the view for easy reference later.
    • Filter by owner, user tags, or other certificate attributes to reduce the number of results and focus your review.
    • Click Actions > Save as new view to easily access this filtered view later.