Action Required by Most GeoTrust, RapidSSL and Thawte to Customers to Remain Trusted by World's Most Popular Browser
As you may be aware, in early 2017 the developers of Google’s Chrome web browser formally expressed concern regarding evidence that Symantec had failed on multiple occasions to properly conduct required validation prior to the issuance of many of their SSL certificates.
Symantec has since conceded that they failed to follow proper industry procedures regarding the issuance of many SSL certificates. As a result, the validity of all Symantec SSL certificates has been called into question (including all SSL certificates originating from the Symantec owned and operated subsidiaries, including GeoTrust, RapidSSL and Thawte).
The developers of Chrome have committed to distrusting all currently issued Symantec, GeoTrust, RapidSSL and Thawte certificates through a phased software release schedule of the Chrome browser that will begin next month and end October 2018. Once implemented, users of updated Chrome browsers will no longer be able to securely view websites with currently issued Symantec, GeoTrust or RapidSSL certificates.
As of mid-2017, the developers of Mozilla’s Firefox web browser have also expressed the same concerns, and intend to phase out trust of the same certificates on the same timeline as Chrome.
The overall solution to this certificate trust issue involves Symantec contracting with an industry-trusted partner, DigiCert, who will then take on signing authority of all Symantec, GeoTrust, RapidSSL and Thawte certificates. Once the infrastructure is in place for DigiCert to assume signing authority, the problem regarding the mistrust of these certificates can be resolved via the free reissuance of each problematic certificate. The reissuance will produce an updated certificate with a chain of signatories that includes DigiCert. Once the reissuance is complete, the certificate will again be trusted on an ongoing basis by both Google’s Chrome browser and Mozilla’s Firefox browser.
Action Required by Symantec SSL (GeoTrust, RapidSSL, Thawte) Certificate Owners
If you are the owner of one or more Verisign, GeoTrust, Rapid SSL or Thawte SSL certificates, you will most likely need to take action in order for your SSL certificates to remain trusted by both the Chrome and Firefox browsers. The steps that you will need to take will depend on the date of issuance and date of expiry of your certificate(s), and how these dates coincide with the dates of Symantec's infrastructure changes and schedule of iterative versions of the Chrome web browser.
1 - Certificates issued or reissued on or AFTER December 1, 2017 are not at risk. These certificates will be signed by Digicert and will be trusted in an ongoing fashion by all browsers.
2 - Certificates issued BEFORE December 1, 2017 all have issues. For these certificates, no action can be taken until at least December 1, 2017. The action required after December 1, 2017 is either reissuance or, if applicable, renewal – or in some cases both.
Below we have identified six different scenarios and recommended actions to take in each.
CERTIFICATES EXPIRING BEFORE DECEMBER 1, 2017
We suggest that you renew your certificates as per usual prior to December. This will allow you to have a valid certificate for approximately one more year (up until no later than October 2018). Chrome and Firefox are still eventually going to have an issue with this renewed certificate around October 2018, however the issue can be resolved through a second step of reissuance or renewal via GeoTrust’s new Digicert infrastructure, which will have been in place since December 1, 2017
- Step 1: Renew now
- Step 2: Renew or reissue any time between December 1, 2017 and either October 2018, or your certificates natural expiration date, whichever comes first.
Another option for customers in this category would be to buy a new, reputable, alternative brand certificate such as Comodo upon expiry of their original, instead of going through the renewal and reissuance process.
CERTIFICATES EXPIRING DURING DECEMBER 2017
Due to the industry transitions that are scheduled to occur on and around December 1st, we feel it is prudent to plan for the unknown. Changes in process, infrastructure, and even the Christmas holiday season, could all contribute to delays in completing what would be a time critical SSL renewal.
We strongly recommend replacing your expiring certificate expiring in December 2017 in advance of December 2017.
Yes, this would mean ordering, configuring and installing a new certificate a month or two earlier than technically necessary -- and thus putting you into the category above, as if your certificate were expiring before December -- and needing to take both steps as outlined above.
- Step 1: Purchase a new certificate now (in lieu of renewing in December 2017).
- Step 2: Renew or reissue any time between December 1, 2017 and either October 2018, or your certificate's natural expiration date, whichever comes first.
CERTIFICATES ISSUED AFTER JUNE 1, 2016 AND EXPIRING BETWEEN JANUARY 1, 2018 AND OCTOBER 2018
No action need immediately be taken, since certificates within these dates are not at risk of being distrusted during their current term. Rather than needing action, these certificates will simply need to be renewed prior to their natural expiration dates.
- Note: No special steps or action required. Renew the certificate just prior to it naturally expiring.
CERTIFICATES ISSUED AFTER JUNE 1, 2016 AND EXPIRING AFTER OCTOBER 2018
These certificates will be distrusted as of October 2018; therefore, we suggest they be reissued at some point after December 1, 2017.
- Action: Reissue any time between December 1, 2017 and the certificate's natural expiration date.
CERTIFICATES ISSUED BEFORE JUNE 1, 2016 AND EXPIRING AFTER APRIL 17, 2018
Due to the early issuance dates, these certificates must be reissued and replaced BEFORE the release of Chrome 66, which is expected April 17th, 2018, in order to remain trusted in Chrome.
As with all other certificates, we recommend waiting until after December 1, 2017 to reissue. On this date, DigiCert will begin issuing certificates. By waiting until this date, you will only need to replace your certificate once.
If you reissue before DigiCert takes over, your certificate will come from one of Symantec’s current root certificates and will need to be replaced again before October 2018.
- Action: Reissue any time between December 1, 2017 and April 17, 2018.
CERTIFICATES ISSUED BEFORE JUNE 1, 2016 AND EXPIRING BEFORE APRIL 17, 2018
This certificate will be OK. However, if you want to renew it early, before 2018-01-01, then we recommend switching to a Comodo brand certificate to avoid having to renew with Symantec and then reissue again later.
We realize that this is a lot of detailed information, and it may be confusing to some of our affected SSL customers. We are here to support you and help make sure that your SSL certificate remains valid and trusted throughout the period of transition to DigiCert as signing authority and beyond. As always, should you have any questions or concerns, we invite you to contact our Customer Support department for personal assistance. We would be happy to review the status of your current SSL certificates with you and help determine the specific actions you will need to take to keep your SSL certificate in good standing.