Back in March 2017, Google had given a setback to all users who were using Symantec SSL certificates, that Google Chrome browser will not trust all certificates that were issued by Symantec. The decision was taken by Google due to a series of failures by Symantec Corporation to properly validate the certificates before issuing them.
Google’s decision of not trusting SSL certificates which were issued by Symantec came as a shock to everyone who had been using the SSL certificates that were issued by Symantec and its subsidiary companies such as Geotrust, Thawte, RapidSSL, Symantec etc.
However, it seems Google and Symantec have now decided to resolve this problem. Recently we got to know that Google and Symantec have now agreed on a plan that requires Symantec to migrate certificate validation to a third party. In exchange, Google would ensure that the Chrome browser continues to trust Symantec certificates validated by this third party. Shortly thereafter, DigiCert announced its plan to acquire Symantec’s Website Security Business by the end of 2017. With this acquisition, Digicert would effectively take over the validation for all of Symantec’s certificate brands by December 1st, 2017, which would satisfy the asks of the browser community.
In light of these changes, Google has announced an updated plan as to how Chrome would deal with certificates issued by DigiCert’s validation infrastructure. This plan has received some coverage in the media, stating that Google would no longer trust any Symantec certificate brand by 2018. This information is incomplete, incorrect and it has created some confusion and uncertainty. Here’s what you need to know:
- Until December 1, 2017, Symantec will continue to issue certificates from its current validation platform. Chrome will continue to trust certificates issued between now and December 1, 2017 until September 13, 2018.
- From December 1, 2017, all Symantec certificate brands (Symantec, GeoTrust, Thawte and RapidSSL) will be issued from DigiCert’s validation platform and Chrome will trust those certificates. For clarity: the Symantec certificate brands will continue to exist after December 2017, they will only be issued from a different, upgraded validation platform. Google will continue to trust all Symantec certificates that have been issued from this new platform after December 1st, 2017.
What does this mean if you have a certificate from any of the Symantec brands?
Certificates issued prior to June 1, 2016
If you have a certificate that has been issued prior to June 1, 2016, the Chrome browser will no longer trust this certificate after March 15, 2018. In order to retain trust by the Chrome browser, you need to replace this certificate. Some important dates to keep in mind:
- If the certificate expires prior to March 15, 2018, you need to do nothing. The certificate will continue to be trusted by Chrome until it expires.
- If the certificate expires after March 15, 2018, but before September 13, 2018, you can re-issue this certificate any time before March 15, 2018.
- If the certificate expires after September 13, 2018, you will need to re-issue the certificate after December 1st, 2017 but before March 15, 2018. You cannot re-issue the certificate at this time.
Certificates issued after June 1, 2016
If you have an existing certificate that has been issued after June 1, 2016, the Chrome browser will no longer trust this certificate after September 13, 2018. Some important dates to keep in mind:
- If the certificate expires prior to September 13, 2018, you need to do nothing. The certificate will continue to be trusted by Chrome until it expires.
- If the certificate expires after September 13, 2018, you will need to re-issue the certificate after December 1, 2017 but before September 13, 2018. You cannot re-issue the certificate at this time.
- If you purchase a new certificate between now and December 1, 2017, the Chrome browser will trust this certificate until September 13, 2018. You will need to re-issue this certificate after December 1, 2017, and before September 13, 2018, to retain trust by the Chrome browser after September 13, 2018.
- If you purchase a new certificate after December 1, 2017, the Chrome browser will trust this certificate. You will not be required to re-issue.
It is safe to continue to use Symantec certificates, but you will need to keep some of these key dates in mind to avoid any disruption. If your certificate has been purchased at any time with a 1-year validity period, it is very likely that no action is required on your part.