SIGNIFLOW

Discover our signature platform: sign and request signature for your PDFs in a fex clicks!

JOIN OUR AFFILIATE NETWORK

Join our affiliate network
and become a local SSL expert
Learn more about our program

PRODUCTS TO DISCOVER

SSL certificates Invoice signature eIDAS certificates Signature software

Menu
picture of tbs certificates
picture of tbs certificates
Certificates
ALL CERTIFICATES
SSL Extended Validation SSL Standard RGS certificates eIDAS certificates SSL ECC SSL wildcard SSL Multiple sites / SAN Quick and Dirty SSL
Specific certificates VMC certificates
E-signature Strong authentication S/MIME certificates
Test certificates PKI Solutions Trust Seals
SigniFlow: the platform to sign and request signature for your documents
Signature software
Our products range
TBS X509 DigiCert Thawte Sectigo GlobalSign GeoTrust Certigna ChamberSign SigniFlow Harica
Partners
Client login Customer accounts Open an account
Support
FAQ SHA256: Browsers' compatibility ECC: Browsers' compatibility
Focus
Invoices dematerialization
We now provide solutions compliant with RGS** and eIDAS qualified standards for invoices signature and time stamping. Further information


20170324 - What about the recognition of certificates issued by Symantec group on Chrome web browser by Google?

To everyone's surprise, Google announced last March a project to restrict the support for certificates issued by the Symantec family (including certificates issued by Symantec, Thawte, Geotrust and RapidSSL) on its web browser « Google Chrome ».

The project would consist in progressively restraint the group certificates lifetime to 9 months and so to enforce a re-validation of the concerned certificates. In January Google had proposed a resolution project to the CAB Forum that aimed to radically limit all certificates lifetime : That resolution had been rejected but Google threatened to apply it unilaterally.

Google also suggested that EV process (green URL bar) of Symantec products might disappear. It is part of Google will to stop differentiation EV display on its browser.

Symantec contests those propositions and assures they are based on incorrect evidences. Discussions between Symantec and Google are still on. The « blink » Chromium decision process is transparent and 3 project managers have to give their « go » in order to validate it.

Symantec wants to reassure its customers of its commitment to see its products recognized by web browsers. It also adds that in case of an unfavorable decision from Google, Symantec will allow its certificates reissuance to respect the enforced maximum length of validity.

TBS Internet undergoes the situation and has monitored it carefully in order to provide its customers the less painful and the more quick solutions. In this context, we have published our recommendations and a precise calendar of the actions to undertake.



EDIT 20181022 - Chrome 70 has been released but the depreciation of certificates issued from the former Symantec PKI will be progressive. The change will reach a small percentage of Chrome 70 users initially, and then slowly scaling up to 100% of Chrome 70 users over several weeks. People who didn't reissued their certificates will profit from a few weeks' break. Consult Google communication.

struckout text: measures finally abandoned



20170522 - A new draft of the project is pending

After studying the numerous feedback aroused by the announce presented above, Google comes back with a new guideline regarding Symantec family's certificates. Those new measures replace the previous ones.

Key information: the lifetime limitation to 9 months is abandoned.

The new propositions

  • Symantec will modernize their platform and PKI dedicated to website certificate issuance (Symantec already start working on that)

  • Until the modernized platform is ready and accepted into major trust stores, certificates would need to be issued through one or more independently operated third-party CAs (aka “Managed CAs”) that Symantec would partner with

  • The Managed CAs could be cross signed by an agreed upon set of existing Symantec roots, to take advantage of the existing roots' ubiquity in trust stores

  • EV certificates can be issued by Managed CAs, provided that they meet the validation requirements

  • Validity period of new certificates can be up to 39 months, or to the maximum allowed by Chrome for all CAs (currently specified in the Baseline Requirements and EV Guidelines), provided that a Managed CA fully revalidates the information. During a bridge period, Managed CAs can reuse existing validation information but lifetimes must be limited to 13 months.

  • Existing certificates issued on or after 1stJune 2016 would still be trusted, provided they comply with the Chrome CT policy. EV certificates issued on or after this date will continue to be granted EV treatment.

  • Existing certificates issued before 1stJune 2016 would go through a phased distrust based on notBefore dates.

20170728 - Symantec and Google agree on a schedule

Both parties have finalised a schedule to replace all existing certificates and reissue them on a new PKI platform. Numerous details are still missing: we hope to disclose them mid-August. Customers involved by a reissue will receive a customised email in time (= no action is necessary at the moment).

The calendar

  • March 2018: when Chrome 66 is released, only Symantec certificates issued after 1st June 2016 will be trusted. We will invite customers to reissue on the new platform when it becomes available.

  • September 2018: when Chrome 70 is released, Symantec certificates will all need to be issued from the new platform to be trusted. We will invite customers to reissue on the new platform when it becomes available.

Consult our article regarding this matter.

Our recommandations

Follow this page to obtain instructions. Remember we will be contacting you by email if and when action is required on your side.

The calendar

  • March 2018: when Chrome 66 is released, only Symantec certificates issued after 1st June 2016 will be trusted. We will invite customers to reissue on the new platform when it becomes available.

  • September 2018: when Chrome 70 is released, Symantec certificates will all need to be issued from the new platform to be trusted. We will invite customers to reissue on the new platform when it becomes available.

Apple is about to distrust Symantec roots as well

Apple is taking actions to distrust Symantec certificate authorities.

The calendar

  • August 1, 2018 : Apple products will cease trusting certificates issued before June 1, 2016 . Regarding certificates issued between June 1, 2016   and December 1, 2017:   only certificates that have been published to a trusted CT log will be trusted.

  • Fall 2018: Apple products will completely distrust all Symantec CAs

Useful links