Symantec certificates will lose credibility in Chrome browser. What to do and how to prepare?
Who will be affected by the changes that will take place in 2018
In March, the Google Chrome team reported problems and violations of standards in Symantec’s certificate-issuing procedure. This problem has been discussed for the last four months between Google, Symantec and other members of the Internet community. Google and Mozilla were planning to begin the process of losing trust in Symantec certificates, due to numerous violations in the customer validation process, when issuing EV (Extended Validation) certificates.
In late July, Chrome and Symantec announced their final plan to address the situation. And the original August 8, 2017 deadline is no longer valid.
If you run a site that uses Symantec certificates, please read this material to be aware of the changes that will affect you in future versions of the Chrome browser and how you can replace your certificate for free before the changes take effect. This will affect a smaller number of users than originally expected, and in this material we have prepared instructions on how to avoid problems associated with this change.
This material is primarily intended for site owners and administrators who use any Symantec certificate. For end users, you don’t have to do anything.
Will this problem affect me?
If you are currently using a Symantec certificate or plan to order one in 2017, this may apply to you.
Note that Symantec operates many brands and this information applies to all. Namely:
Also note that Mozilla Firefox is planning to take similar action on the loss of trust in certificates in their browser, but they have not yet announced a final plan.
There’s no reason to panic – there won’t be any changes until 2018, so there’s still plenty of time to prepare.
Chrome will remove trust in Symantec certificates in two steps. The first stage will affect certificates issued before June 1, 2016. The second phase will affect all Symantec certificates issued using their current root certificates – including certificates that have not yet been issued.
To comply with Google’s plan, you need to replace your current Symantec certificates using the free reissue process. You will be able to do this with minimal interruptions to your work.
Note: Our customers will receive an email message with information on what they need to do.
Why is this happening?
As a result of the standards violation, Google Chrome decided that Symantec’s current root certificates should be revised in Chrome. It is about the fact that a number of test certificates were incorrectly issued. Google uses this as an argument that all Symantec certificates are now under suspicion.
It seems like an overreaction to us, but we try to notify our customers so that it affects their business as little as possible.
As a result of Google’s position, many Symantec SSL certificates will lose credibility in the Chrome browser and users will see errors in the browser when visiting sites with such certificates.
This will happen in two phases, the first starting in April 2018 and the second in October 2018 (we’ll talk more about the phases below).
Symantec plans to enter into a partnership and issue certificates through another certificate authority (CA), which will issue certificates under the Symantec name starting this December. This partner will continue to issue certificates until Symantec adds new root certificates to browsers.
This will allow Symantec to continue issuing trusted certificates without interruption due to the announced changes to Chrome.
Symantec’s long-term plan is to add a new root certificate to all devices, allowing them to continue issuing certificates themselves.
Next we will talk about the key dates.
When do I need to do something?
The gradual loss of trust in existing Symantec certificates in Chrome will occur in two stages, it will coincide with the release of Chrome version 66 and version 70. Version 61 is currently in use.
When Chrome 66 is released (expected in mid-April 2018) all Symantec certificates issued before June 1, 2016 will lose credibility unless action is taken. This means that Chrome 66+ users will not be able to establish an https connection to your site and will see a warning.
The second phase will happen along with the release of Chrome 70 (expected in late October 2018). All Symantec certificates issued with their current root certificate will lose credibility by this date if not reissued in time.
Depending on the issue and expiration date of your current certificate, you may need to replace your Symantec certificate so that it remains trusted during this period. This may depend on the timeliness of future improvements to Symantec’s PKI (Public Key Infrastructure).
How to prepare
To understand and prepare for all of these events, we have compiled a table with key dates.
| Date (approximate) | Chrome version | What happens? | How to prepare? |
|---|---|---|---|
| 24 October 2017 | 62 | Chrome 62 will display a message in developer tools to help identify certificates affected by the loss of trust in Chrome 66. | Go to your site and open the developer tools in Chrome – this will allow you to determine which sites will be affected by the loss of trust in Chrome 66. |
| 1 December 2017 | N/A | Partner Certification Authority (CA) will begin issuing certificates for Symantec | End users may see some minor changes in the certificate issuance process. From a technical point of view, this date is very important as it signifies the start of the “new” Symantec certificates. Certificates issued after this date will be issued with different root certificates and will not be affected by the loss of trust in Chrome. |
| 17 April 2018 | 66 | All Symantec certificates issued before June 1, 2017 will lose credibility in Chrome. Certificates issued after 1 June 2016 will not be affected by this issue. | Replace all Symantec certificates issued before June 1, 2016 by this date. You can do this by re-issuing your certificate for free and installing a new certificate to replace the old one. If your certificate expires around this time (April-July) you may want to renew it, along with a re-issue to avoid having to replace it twice in a short period of time. |
| 28 October 2018 | 70 | All certificates issued by Symantec with their current infrastructure (root certificates) will lose trust in Chrome. | Starting December 1 this year, you will be able to get new certificates from Symantec, which will be issued by their partner certification center. These certificates, on the technical side, will be issued by another certificate authority and will be trusted by Chrome. |
Starting with the stable version of Chrome 62, a message will be added to developer tools when the certificate loses trust in Chrome 66. Developers can use this functionality to make sure which certificates on their site are affected.
You can also download Chrome Canary, an early release that allows you to see this option earlier. Chrome 66 will be available on Canary in January, giving you the chance to see your site the way users will see it in the stable version of Chrome 66 later in the year.
Our recommended plan of action
In order for these events to have minimal consequences for you, we recommend the following plan of action:
If your certificate expires BEFORE December 2017…
We recommend that you renew (instead of reissuing) your certificate until December. This will allow you to have a trusted certificate until October 2018, when all Symantec certificates issued with the current root certificate will need to be replaced.
If your certificate expires in DECEMBER 2017…
We recommend that you consider a replacement certificate to avoid interruptions. For now, Symantec is hoping to find a CA partner certification center that will issue certificates starting December 1 (Friday). If you can wait to reissue and replace that certificate after the fact, you probably won’t need to replace your certificate again until its expiration date.
Note, however, that there may be delays that will prevent Symantec from doing this on December 1 and there may also be a very large number of release requests at this time, which may cause technical difficulties.
So there is some risk in waiting until December to reissue the certificate, which ends in December.
If you need to replace your certificate before the affiliate CA starts issuing certificates, you can replace your certificate before the Chrome 70 release (expected in late December 2018).
If your certificate expires AFTER December 31, 2017…
We recommend that you wait to replace any of your certificates until after Symantec’s partner begins issuing certificates (expected December 1, 2017)
After that date, you can start reissuing and replacing certificates if needed. If your certificate expires by March 30, 2018, renewing your certificate will be the easiest option for you.
This will allow you to replace the certificate at one time. Certificates issued by a Symantec partner certificate authority will not be affected by changes to Chrome and there will be no need to change them before they expire.
Special case: if your certificate was issued before June 1, 2016 and expires after April 17, 2018…
Your situation is a special case. Your certificate must be reissued and replaced BEFORE the Chrome 66 release, which is expected on April 17, 2018, in order to remain trusted in Chrome.
However, you must wait until December 1, 2017 to reissue your certificate. Symantec Partner Certification Center will begin issuing certificates on that day. If you wait until that date, you only need to replace the certificate once.
If you re-issue a certificate before Symantec Partner, your certificate will be issued using one of the current root certificates and will need to be replaced after October 2018.
