Mandatory reissuance of Symantec certificates that lose credibility
We have previously written in our blog that certificates issued by Symantec and their brands GeoTrust, RapidSSL and Thawte will lose credibility after March 15. The deal between Symantec and Digicert has already been finalized and we can give detailed information about the steps to be taken by holders of such certificates. On October 31, 2017, Symantec’s entire SSL certificate business was taken over by Digicert.
What does all this mean for me?
All certificates that were previously issued by Symantec(GeoTrust, Thawte and RapidSSL) must be re-issued and must be re-validated by the new DigiCert Certification Authority by a certain date in 2018 to avoid browser warnings about an untrusted certificate.
Don’t worry, this process will be quick and easy. The validation process in Digicert is quite well organized. Up to a certain date, your SSL certificates will work as usual and will satisfy all browser requirements. This means that your clients will see all the attributes of a working SSL certificate, (such as lock, green string, https).
What are the deadlines for reissuing?
There is a fairly long period of time for reissuance of certificates.
- If an SSL certificate was issued before June 1, 2016 and expires after March 15, 2018, you must re-issue it by March 15, 2018.
- If an SSL certificate was issued after June 1, 2016 until December 1, 2017 and expires after September 13, 2018, you must reissue that certificate by September 13, 2018.
Here is a visualization of when to re-issue SSL certificates previously issued by Symantec/GeoTrust/Thawte/RapidSSL
How do I check if my certificate needs to be reissued?
If you are not sure if you need to reissue your SSL certificate – you can check it with special service SSL tools. Just enter the domain where your certificate is installed and if the response you get: “Yes! You DO need to re-issue your certificate” – then your certificate must be re-issued, and there will be a date by which it must be re-issued.
Where can I see a list of my certificates
To meet the new browser requirements, you will need to re-issue, validate, and reinstall some of the SSL certificates you ordered from us. You can see the list of your certificates in your personal cabinet: https://my.tuthost.ua/ in the section SSL-certificates. You can see the expiration date of the certificate in the “valid until” field.
You can also see the start and end date of the certificate in your browser if you go to the site where the certificate is installed.
How to re-issue SSL certificate?
To reissue a certificate, click the desired certificate and click “Reissue”.
You can select the “With old values” option in the certificate request and a new secret key will be generated, you will need to save it and replace it on the server after issuing the new certificate.
If you want to re-issue the certificate without changing the key – select the “Specify existing” option and specify the existing CSR request, if you do not have it saved – you can download it if you double-click on the desired certificate, the download file link, opposite theoption.
After submitting a re-issue request, you will need to re-validate the certificate and, after the certificate is re-issued, reinstall it on the server.
If you re-issue it, you will have to re-validate the certificate. OV and EV certificates will require a full verification of the organization. For DV, only the domain check. In most cases, the validation center uses existing information and additional documents will not be needed. In some situations, you may need a verification call.
For all DV certificates after requesting reissue you will receive a validation e-mail to admin@, hostmaster@ in your domain. There will be a link to confirm the reissue.
After reissuing a new certificate – the old certificate will be valid until you install the new certificate, but not longer than its expiration date.
The expiration date of the new certificate will be the same as the old one.
What happens if I don’t re-issue the certificate on time?
After the new version of the browsers comes out, visitors who use the latest version of the browser will get a warning about an untrusted certificate when they visit your site. First of all it concerns Google Chrome browser.
And in conclusion…
Because Symantec certificates are now managed by Digicert, one of the best and most modern certificate authorities, the industry will only benefit. Similar changes have happened before, when Verisign became part of Symantec. And the level of reliability and speed of certificate verification in Digicert will be able to please all customers.