Ask a Question

Advanced Search

Alert ID : GN260918211708

Last Modified : 08/07/2019

SMIME Root Transition

Description

 

Over the coming months, DigiCert will transition issuance of S/MIME and/or Client Authentication certificates in MPKI 7x/8x from legacy Symantec roots to DigiCert public trusted roots. 

This initiative supports the request by root program owners to phase out the use of legacy roots previously owned by Symantec (VeriSign, Thawte, GeoTrust and Symantec Root CAs), and consolidate the number of trusted roots that DigiCert owns. 

 

This transition impacts only Managed PKI (MPKI) customers who make use of publicly trusted certificates, typically including S/MIME and/or Client Authentication certificates.

In working with both our customers and root program owners we are extending the original December 31, 2018 root deprecation date to a phased timeline that best meets transition requirements while minimizing customer impact.

 

Proposed root/ICA deprecation timeline:

Phase 1

June 30, 2019

Phase 2

December 31, 2019

Phase 3

December 31, 2020

Phase 4

March 31, 2023

·         VeriSign Class 3 Public Primary Certification Authority - G3

·         VeriSign Class 3 Public Primary Certification Authority - G5

·         Symantec Class 2 Public Primary Certification Authority - G4

·         Shared MPKI 8.x ICAs

·         Shared MPKI 7.x ICAs

·         Symantec Class 2 Public Primary Certification Authority - G6

·         VeriSign Class 2 Public Primary Certification Authority - G3

·         VeriSign Universal Root Certification Authority

·         Symantec Class 1 Public Primary Certification Authority - G6

·         VeriSign Class 1 Public Primary Certification Authority - G3



Impact to email clients on Apple OS devices:

  • On a future date, Apple intends to completely remove legacy Symantec roots off their root store.

  • Users can continue to read e-mails signed and encrypted with legacy Symantec roots, but their e-mail client will show a warning indicator (unable to verify message signature). 

     

Impact to email clients on Microsoft OS devices:

  • Currently there is no migration date until we finalize our root transition plan.

  • Microsoft, however, is allowing legacy Symantec S/MIME and/or Client Authentication certificates expire naturally.

    All certificates issued up to the root deprecation date will continue to function without impact for Microsoft-based e-mail clients and OS. 

     

     

To better prepare you, our customer, for the ICA root transition, and solidify migration timelines, we are providing below a list of affected legacy Symantec roots and potential impact by root store, email client and operating systems (OS):

 

Legacy Symantec roots to be deprecated:

GeoTrust

Thawte

Symantec

VeriSign

·         GeoTrust Global CA

·         GeoTrust Global CA 2

·         GeoTrust Primary Certification Authority

·         GeoTrust Primary Certification Authority - G2

·         GeoTrust Primary Certification Authority - G3

·         GeoTrust Universal CA

·         GeoTrust Universal CA 2

·         Thawte Primary Root CA

·         Thawte Primary Root CA - G2

·         Thawte Primary Root CA - G3

·         Thawte Timestamping CA

 

·         Symantec Class 1 Public Primary Certification Authority - G4

·         Symantec Class 1 Public Primary Certification Authority - G6

·         Symantec Class 2 Public Primary Certification Authority - G4

·         Symantec Class 2 Public Primary Certification Authority - G6

·         Symantec Class 3 Public Primary Certification Authority - G4

·         Symantec Class 3 Public Primary Certification Authority - G6

·         Symantec Enterprise Mobile Root for Microsoft

·         VeriSign Class 1 Public PCA

·         VeriSign Class 1 Public PCA - G2

·         VeriSign Class 1 Public Primary Certification Authority - G3

·         VeriSign Class 2 Public Primary Certification Authority - G2

·         VeriSign Class 2 Public Primary Certification Authority - G3

·         VeriSign Class 3 Public PCA - G2

·         VeriSign Class 3 Public PCA - MD2

·         VeriSign Class 3 Public Primary Certification Authority

·         VeriSign Class 3 Public Primary Certification Authority - G3

·         VeriSign Class 3 Public Primary Certification Authority - G4

·         VeriSign Class 3 Public Primary Certification Authority - G5

·         VeriSign Class 4 Public Primary Certification Authority - G3

·         VeriSign Universal Root Certification Authority

 

 

DigiCert target roots planned for future hierarchy (moving to this root hierarchy): 

       New DigiCert Root CA Hierarchies

Root

Issuing CA (ICA)

End Entity (EE)

DigiCert Assured ID Root G2

DigiCert PKI Platform C2 Shared SMIME  Individual Subscriber CA

RSA Certificate

DigiCert PKI Platform Class 3 Shared SMIME Organization CA

RSA Certificate

<Customer Co-branded Public CA with RSA>

RSA Certificate

DigiCert Assured ID Root G3

<Customer Co-branded Public CA with ECC>

ECC Certificate

 

 

Frequently Asked Questions (FAQ)

Why is this happening? Is this related to Symantec’s certificate distrust?

No. This initiative is part of our work to meet relevant browser and industry timing requirements, which includes:

  • Migrating customers from Symantec roots (which we acquired) to DigiCert roots.

  • Consolidating the number of roots that are included in the root program owners’ trust store to a manageable number, per their request. 

     

How do I prepare for this root migration?

Conduct an impact assessment of the impacted certificates using the list of legacy Symantec roots above. Considerations include:

  • For ALL customers, regardless of product:

    • What is your use-case for a ‘public’ certificate? E.g. secure email (S/MIME), client authentication, code signing issued from a public trusted root?

    • How many of your certificates on your MPKI account, issued from a public trusted root, are still valid?

    • Are there any ICAs hard pinned into devices, and if so, which ones?

    • Are there any dependencies that may impact your stakeholders, and if so, what are they?

    • Can you complete your migration to a new DigiCert root by December 31, 2018?  If not, how many additional days will you require?

    • To mitigate the impact to your certificate migration to a DigiCert public root, we recommend issuing 6-month certificates until you have completed the migration. Can you limit your newly issued certificate validity period to 6 months?

    • Are there additional challenges to a timely migration beyond what is stated?

       

  • For MPKI 7.x customers:

    • Have you deployed Local Hosting (LH) and/or Registration Authority (RA) components or are making use of the Remote Hosted site kit?

    • Have you customized any of the above components?

    • Have you had any custom certificate profiles configured by our operations team? i.e. End-Entity Certificate Profile (EECP)?

    • Have you integrated your MPKI 7.x solution with any third-party software or internal enterprise?

       

  • For MPKI 8.x customers:

    • Have you deployed the PKI Enterprise Gateway and/or PKI Autoenrollment service?

    • Do you make use of PKI Client enrolment method? If so, have you deployed any PKI Client Post-Processing scripts?

    • What certificate template(s) have you deployed to issue ‘public’ certificates? E.g. Secure Email, S/MIME (Digital Signature only), S/MIME (Encryption only), Client Authentication.

    • Have you integrated your MPKI 8.x solution with any third-party software? E.g. MDM vendor.

       

  • Our Account Managers and Sales Engineers will reach out to you, our customer, with these questions, also please feel free to proactively contact us to begin these discussions. 

     

What happens to my existing e-mail?

Nothing will happen to your existing e-mail. They will continue to exist in your inbox, though depending on OS, warning indicators for previously secured/signed e-mails may appear. 

 

Is client authentication impacted by root deprecation?

There are multiple options for establishing that a client certificate should be trusted for an authentication. Client certificate authentication based on a trusted root or trusted issuing CA is configured on the server which a client is connecting to. Whether your client authentication will be affected by the root deprecation depends upon your ability to configure the root store which is used to determine if a client certificate is trusted. 

 

If you can ensure that the current root or ICA will not be removed from the trusted root store configuration on the server then your client authentication will not be affected by the root deprecation. 

 

How do we transition to this new ICA?

MPKI 7

  • We will provide migration instructions on this page later.  Customers can also reach out to Sales Engineer or their respective Account Manager for assistance. 

     

MPKI 8

  • We will provide migration instructions on this page later.  Customers can also reach out to Sales Engineer or their respective Account Manager for assistance.