Update: January 12, 2018
This blog post is a follow-up to the information we published a few months ago regarding the Google-Symantec conundrum.
Symantec and Google have agreed on a plan that requires Symantec to migrate certificate validation to a third party. In exchange, Google would ensure that the Chrome browser continues to trust Symantec certificates validated by this third party. Shortly thereafter, DigiCert announced its plan to acquire Symantec’s Website Security Business by the end of 2017. With this acquisition, Digicert would effectively take over the validation for all of Symantec’s certificate brands by December 1st, 2017, which would satisfy the asks of the browser community.
In light of these changes, Google has announced an updated plan as to how Chrome would deal with certificates issued by DigiCert’s validation infrastructure. This plan has received some coverage in the media, stating that Google would no longer trust any Symantec certificate brand by 2018. This information is incomplete, incorrect and it has created some confusion and uncertainty. Here’s what you need to know:
- From December 1, 2017, all Symantec certificate brands (Symantec, GeoTrust, Thawte and RapidSSL) will be issued from DigiCert’s validation platform and Chrome will trust those certificates. For clarity: the Symantec certificate brands will continue to exist after December 2017, they will only be issued from a different, upgraded validation platform. Google will continue to trust all Symantec certificates that have been issued from this new platform after December 1st, 2017.
What does this mean if you have a certificate from any of the Symantec brands?
Certificates issued prior to June 1, 2016
If you have a certificate that has been issued prior to June 1, 2016, the Chrome browser will no longer trust this certificate after March 15, 2018. In order to retain trust by the Chrome browser, you need to replace this certificate. Some important dates to keep in mind:
- If the certificate expires prior to March 15, 2018, you need to do nothing. The certificate will continue to be trusted by Chrome until it expires.
- If the certificate expires after March 15, 2018, but before September 13, 2018, you can re-issue this certificate any time before March 15, 2018.
- If the certificate expires after September 13, 2018, you will need to re-issue the certificate before March 15, 2018.
Certificates issued after June 1, 2016
If you have an existing certificate that has been issued after June 1, 2016, the Chrome browser will no longer trust this certificate after September 13, 2018. Some important dates to keep in mind:
- If the certificate expires prior to September 13, 2018, you need to do nothing. The certificate will continue to be trusted by Chrome until it expires.
- If the certificate expires after September 13, 2018, you will need to re-issue the certificate before September 13, 2018.
- If you have purchased a certificate after December 1, 2017, the Chrome browser will trust this certificate. You will not be required to re-issue.
It is safe to continue to use Symantec certificates, but you will need to keep some of these key dates in mind to avoid any disruption. If your certificate has been purchased at any time with a 1-year validity period, it is very likely that no action is required on your part.
We would like to remind you that re-issues for the Symantec family of certificates (Symantec, Thawte, GeoTrust, RapidSSL) can be done free of charge.