September 20, 2017
Ryan Mathus
Senior Security Engineer

Google to Distrust Symantec SSL Certificates

Symantec SSL Certificate

Google has announced that by November 2018, Google Chrome will distrust any website protected by an SSL certificate issued by Symantec.  Between now and then, Google Chrome will slowly start presenting a warning to any website with a Symantec issued SSL.  For more information on when Symantec SSL certificates will become invalid, see this article on Tom’s Hardware.

Why is Google doing this?
In 2017, it was discovered that Symantec issued SSLs to questionable websites and without proper oversight.  Symantec has since sold their SSL business to DigiCert and the new infrastructure at DigiCert will be online around December 1, 2017.

What SSL brands are affected?
Symantec issues SSLs under the following brands: Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL.

Is my certificate affected?
To determine if your SSL is affected, open Google Chrome and go to the domain that is secured by the SSL.  Once the website loads, key in F12 on your keyboard.  This will open Chrome Developer Tools.  Navigate to the Security tab and click View Certificate.  On the resulting popup under the General tab, this will show who the SSL is issued by.  An example is below:

If your SSL was issued by Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL, you may need to have the SSL reissued.  Contact your vendor for further instructions on doing that.  Take note of the valid from and to dates as those are important to determine if your SSL is affected.

  • If your SSL was issued before June 1, 2016 and expires before June 13, 2018, you will need to have the SSL reissued between now and March 15, 2018.
  • If your SSL was issued before June 1, 2016 and expires after September 13, 2018, you will need to wait until December 1, 2017 but before March 15, 2018 to reissue the certificate.
  • If your SSL was issued before December 1, 2017 and expires after September 13, 2018, you will need to reissue your SSL after December 1, 2017 but before September 13, 2018.

If you have ordered your SSL through Edge Hosting, we will contact you via the portal if your SSL is affected. Warnings will show in Google Chrome up until the release of Chrome 70 in Q3 2018.   At the release of Chrome 70, any SSLs that fall in the above issuers and dates will be untrusted in Google Chrome 70 and above.

My certificate is affected.  What do I need to do?
More information on dates and what to do can be found on Google’s Security Blog about this issue:

https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html

There are two options. 

Option 1. Order a new certificate from a different CA.  There are multiple CAs out that can issue SSLs.  Provide the CA with a CSR and they will issue a new certificate for you. 

  1. Provide that certificate and corresponding private key (when the CSR was generated) to Edge Hosting via a support ticket and Edge Engineers can assist installing the certificate for you.
  2. If you prefer to install the certificate yourself, you are welcome to do so.

Option 2. Have your SSL reissued by DigiCert keeping in mind the dates listed above for reissuance.  You will need to contact DigiCert to reissue the certificate.  Prices for DigiCert are listed on their website

  1. Should you need assistance installing the certificate, please log into the Edge Hosting support portal, create a ticket with the certificate and private key, and Edge Engineers can assist installing the certificate for you.
  2. If you prefer to install the certificate yourself, you are welcome to do so.

I ordered an SSL through Edge Hosting’s Support Portal.  Am I affected?
SSLs issued through our vendor are typically Thawte certificates.  Symantec is the parent company of Thawte and therefore some of the SSL certificates issued are affected.  Those customers with SSLs order through Edge and which are affected have been notified via the portal to have the SSLs reissued.

Are other browsers affected?
Other browsers are not changing their standards at the current time.  This may change in the future, however.

Go back