Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


20170808 - Major changes at Symantec

As announced previously in our article certificates issued by authorities of the Symantec Group (Symantec, Thawte and Geotrust) will soon have to comply with new rules for the purpose of keeping their recognition on Google's Browser Chrome and on Firefox.

FOCUS - Certificates issued before 1st June 2016 are the main target. Google Chrome will cease to recognized them as of March 2018 (Chrome 66 release).

New platform

It is the key measure of the sanctions imposed by Google: a new PKI (Public Key Infrastructure) that must be implemented and replace Symantec's PKI for all certificates' issuance of the group.

Currently valid certificates will have to be re-issued by this platform. They will have to be reinstalled along with the entire certification chain. This PKI should (ideally) be ready on 1st December 2017.

For now, we do not have any information regarding the new certification chain (will they allow crossed-signed intermediate certificates for example?).

Once the PKI is available, the certificates issued before 1st June 2016 and expiring after 13 September 2018 will have to be reissued (between December 2017 and mid-March 2018).

Finally, all certificates issued before December 2017 will have to be reissued between December 2017 and mid-September 2018 (before Chrome 70 is released).

Update 20170913: Symantec is communicating about its new PKI and confirms it will be available on 1st December 2017. At the highest level, they are creating two new Symantec-branded root certificates, one RSA and one ECC. From these two root certificates, they are signing intermediate CA certificates for Symantec, Thawte, and GeoTrust brands. Within each brand, they’ll have separate RSA and ECC intermediate CA certificates for Domain Validation (DV), Organization Validation (OV) and Extended Validation (EV) certificates.

Are you concerned?

An e-mail will be sent for any certificate corresponding to one of the criteria requiring a reissuance. It will indicate the period during which your certificates should be reissued.

A listing of certificates to reissue will also be displayed on you account (if you have a Certificate Center) and an alert will show on the status pages on the concerned certificates (from the start date of the reissuance period).

What consequences if your certificates are not reissued?

Certificates issued before 1stJune 2016 will be rejected by Chrome (version 66) as of March 2018 (Chrome 62 will add alerting in DevTools as of October 2017) and by Firefox (version 60 as of May 2018. The other certificates, if they have not been issued by the new PKI, won't be recognized by Chrome 70 that should be released by the end of 2018 and by Firefox 63 in December 2018.

Calendar

  • Certificates issued before 2016-06-01
    • expiration after 2017-09-13: reissuance recommended between December 2017 and mid-March 2018
    • expiration after 2018-03-15: reissuance recommanded from now on - Ideal period: before 1st December 2017


  • Certificates issued after 2016-06-01
    • expiration after 2017-09-13: reissuance recommended between December 2017 and mid-September 2018 - Ideal period: between 15th March 2018 and mid-September 2018


  • Certificates valid 3 years issued after 2017-01-01
    • reissuance recommended between 1st December 2017 and 15th February 2018

You want to keep certificates chained to a Symantec root?

Then order or renew your certificates before December 2017. After the new PKI is operational it won't be possible to get certificates with a full Symantec certification chain. Be careful though: a reissuance after December 2017 will automatically attach these certificates to one of the new certification chains.

Reminder: The "former chain" certificates won't be recognized by Chrome and Firefox at the end of 2018.

Useful Links