On September 11, 2017, Google posted a blog entitled Chrome’s Plan to Distrust Symantec Certificates.
One aspect of Google’s proposal is that starting March 15, 2018, Chrome 66 will distrust the RapidSSL certificates issued prior to June 1, 2016 and Chrome 70 will eventually distrust all RapidSSL certificates issued under the current infrastructure. RapidSSL expects to issue all new public SSL/TLS certificates from the new infrastructure by December 1, 2017.
Apple announced they will be distrusting SSL/TLS certificates issued from Symantec’s legacy root certificates, which includes the Thawte, GeoTrust, and RapidSSL brands. We have given guidance on replacing these certificates for compatibility with Google Chrome and Mozilla Firefox. This new announcement from Apple imposes later deadlines, and does not require any additional action if you have already followed our previous guidance.
Apple’s newly announced distrust will occur in two stages. For simplicity, neither stage requires you to make any changes to the existing migration plan needed for compatibility with Chrome and other browsers. If you have already replaced your certificates, you do not need to replace them again. Once you have installed SSL certificates that are issued from DigiCert roots, you will be compliant with all browsers.
Apple's announcement does not require you to make any changes to the existing migration plan needed for compatibility with Chrome and other browsers. Continue to follow our guidance on meeting the Chrome timelines and your reissued certificates will work with all browsers. The only certificates to be distrusted by Apple this summer are those that you should have already replaced to comply with Chrome 66 requirements.
Apple advisory: https://support.apple.com/en-hk/HT208860
Our blog: https://www.digicert.com/blog/our-latest-symantec-distrust-guidance-apple/
We recommend that you replace these certificates based on the Chrome release schedule.
Case 1: If you have RapidSSL certificates issued prior to June 1, 2016 that expire before March 15, 2018, there is no action required.
Case 2: If you have RapidSSL certificates issued prior to June 1, 2016 that expire on or after March 15, 2018 but before September 13, 2018, you must replace them by March 15, 2018.
Case 3: If you have RapidSSL certificates issued prior to June 1, 2016 that expire on or after September 13, 2018, you need to replace them starting December 1, 2017 and complete by March 15, 2018.
Case 4: If you have RapidSSL certificates issued on or after June 1, 2016 that expire on or after September 13, 2018, you need to replace them starting December 1, 2017 and complete by September 13, 2018.
Table view of information above:
|Case||Issued||Expires||Begin to Replace||Complete Replacement by|
|1||Before June 1, 2016||Before March 15, 2018||N/A – no action required||N/A – no action required|
|2||Before June 1, 2016||On or between March 15, 2018 and September 12, 2018||Any time||March 15, 2018|
|3||Before June 1, 2016||On or after September 13, 2018||December 1, 2017||March 15, 2018|
|4||On or after June 1, 2016||On or after September 13, 2018||December 1, 2017||September 13, 2018|
Please perform the following steps to generate a report to identify impacted certificates.
Step 1: Identifying Certificates to be Replaced
Step 2: Replace the certificates identified in Step 1
Additional information can be found in the Knowledge Base article entitled RapidSSL Security Center: Certificate Replacement Procedure