Ask a Question

Advanced Search

Solution ID : SO29613

Last Modified : 06/11/2018

Generate report to identify certificates impacted by potential Chrome distrust

Solution

On September 11, 2017, Google posted a blog entitled Chrome’s Plan to Distrust Symantec Certificates.
One aspect of Google’s proposal is that starting March 15, 2018, Chrome 66 will distrust the Thawte certificates issued prior to June 1, 2016 and Chrome 70 will eventually distrust all Thawte certificates issued under the current infrastructure. Thawte expects to issue all new public SSL/TLS certificates from the new infrastructure by December 1, 2017.

**Update**
Apple announced they will be distrusting SSL/TLS certificates issued from Symantec’s legacy root certificates, which includes the Thawte, GeoTrust, and RapidSSL brands. We have  given guidance on replacing these certificates for compatibility with Google Chrome and Mozilla Firefox. This new announcement from Apple imposes later deadlines, and does not require any additional action if you have already followed our previous guidance.

Apple’s newly announced distrust will occur in two stages. For simplicity, neither stage requires you to make any changes to the existing migration plan needed for compatibility with Chrome and other browsers. If you have already replaced your certificates, you do not need to replace them again. Once you have installed SSL certificates that are issued from DigiCert roots, you will be compliant with all browsers.

Apple's announcement does not require you to make any changes to the existing migration plan needed for compatibility with Chrome and other browsers. Continue to follow our guidance on meeting the Chrome timelines and your reissued certificates will work with all browsers. The only certificates to be distrusted by Apple this summer are those that you should have already replaced to comply with Chrome 66 requirements.

Apple advisory: https://support.apple.com/en-hk/HT208860
Our blog: https://www.digicert.com/blog/our-latest-symantec-distrust-guidance-apple/
 

We recommend that you replace these certificates based on the Chrome release schedule.

Case 1: If you have Thawte certificates issued prior to June 1, 2016 that expire before March 15, 2018, there is no action required.

Case 2: If you have Thawte certificates issued prior to June 1, 2016 that expire on or after March 15, 2018 but before September 13, 2018, you must replace them by March 15, 2018.

Case 3: If you have Thawte certificates issued prior to June 1, 2016 that expire on or after September 13, 2018, you need to replace them starting December 1, 2017 and complete by March 15, 2018.

Case 4: If you have Thawte certificates issued on or after June 1, 2016 that expire on or after September 13, 2018, you need to replace them starting December 1, 2017 and complete by September 13, 2018.
 

Table view of information above:

Case Issued Expires Begin to Replace Complete Replacement by
1 Before June 1, 2016 Before March 15, 2018 N/A – no action required N/A – no action required
2 Before June 1, 2016 On or between March 15, 2018 and September 12, 2018 Any time March 15, 2018
3 Before June 1, 2016 On or after September 13, 2018 December 1, 2017 March 15, 2018
4 On or after June 1, 2016 On or after September 13, 2018 December 1, 2017 September 13, 2018

 


Please perform the following steps to generate a report to identify impacted certificates if you are a Thawte Certificate Center (TCC) customer or if you are a Thawte Certificate Center Enterprise (TCCE) customer.

Instructions for Thawte Certificate Center (TCC)
Instructions for Thawte Certificate Center Enterprise (TCCE)


 

Instructions for Thawte Certificate Center (TCC)

Step 1:  Identify Certificates to be Replaced

  1. Access and login to the Thawte Certificate Center (TCC)
  2. Click Expires to re-organize the certificate list by expiration date.
  3. Refer to the Cases listed above to determine which certificates are needed for replacement.
    Note:  Ignore all Code Signing certificates as they are not at risk.

Step 2:  Replace the Certificates Idenitified from Step 1

Additional information can be found in the Knowledge Base article entitled How to replace SSL certificate in the Thawte Certificate Center (TCC) account

 

 

Instructions for Thawte Certificate Center Enterprise (TCCE)

Step 1: Generate Report

  1. Access the Thawte Certificate Center Enterprise (TCCE)
  2. From Common Tasks on the right-hand side, click Generate a new report
  3. Select a Report type (Detail is the default)
  4. Select a File format (Excel will allow you to sort by the columns)
  5. Enter a Date range (Start date should be earlier than 01/01/2014)
  6. Select All organizations
  7. Select All Certificate types
  8. Select Valid Certificate Status
  9. Make sure that “Validity start date”, "Validity end date” and “Server platform” are included in the report, along with any other data that will help you identify certificates.
  10. Click Generate

 

Step 2: Identify the Certificates that are at Risk

  1. Open the report
  2. Impacted certificates for case 2:
  3. Sort by “Validity Start Date” to see the certificates issued before June 1, 2016
  4. Sort by “Validity End Date” to see the certificates expiring on or between March 15, 2018 and September 12, 2018
  5. Impacted certificates for case 3:
  6. Sort by “Validity Start Date” to see the certificates issued before June 1, 2016
  7. Sort by “Validity End Date” to see the certificates expiring on or after September 13, 2018
  8. Impacted certificates for case 4:
  9. Sort by “Validity Start Date” to see the certificates issued on or after June 1, 2016
  10. Sort by “Validity End Date” to see the certificates expiring on or after September 13, 2018

 

Step 3: Replace the Certificates Identified in Step 2

Additional information can be found in the Knowledge Base article entitled How do I reissue or replace an SSL certificate?