What's going on?
You may have heard about the problems between Google and Symantec in the press. Earlier this year, after incidents with Symantec certificates have become known to the public, Google decided to take action and announced plans to distrust all SSL certificates of the Symantec product group in their Google Chrome browser. The companies had many conversations with each other as this approach would affect a huge number of Internet users.
Google and Symantec finally agreed on a strategy that would allow Symantec to maintain the certificates business. This is only possible if Symantec will no longer act as Certificate Authority since Google Chrome will distrust all Symantec certificates in 2018. Instead, as of December 1, 2017, the Digicert Public Key Infrastructure (PKI) will be used to issue certificates, and Symantec will technically become a Subordinate Certificate Authority (SubCA). Similarly, all other Symantec certificate brands will be classified as SubCAs as well.
Need to reissue all affected certificates
With the release of Chrome 66 (estimated March 2018), Google will initially distrust all Symantec certificates issued before June 1, 2016. With the release of Chrome 70 (estimated September 2018), Google will finally distrust all Symantec SSL certificates issued before December 1, 2017 using the old Symantec PKI. Because Symantec had purchased additional CAs (GeoTrust, Thawte, and RapidSSL) in the past, the root certificates of those former companies were added to the Symantec root. Certificates issued by these three CAs are affected like native Symantec SSL certs and must also be reissued.
Thus, unfortunately all Symantec, GeoTrust, Thawte, and RapidSSL certificates are affected and will in future be distrusted in Google Chrome. To avoid your certificates from being distrusted in Google Chrome, the reissue for affected certificates will become necessary.
In conclusion, two groups of certificates can be regarded separately.
The details for these groups in summary
- Certificates issued BEFORE June 1, 2016: These will be distrusted by Google Chrome on March 15, 2018 (= release of Chrome 66). To prevent the distrust a reissue under the Digicert PKI is necessary. This can be done starting December 1, 2017. For reissues there's only time UNTIL March 15, 2018. Afterwards Google Chrome will display errors.
- Certificates issued BEFORE December 1, 2017: These will be distrusted by Google on September 13, 2018 (= release of Chrome 70). To prevent the distrust a reissue under the Digicert PKI is necessary. This can be done starting December 1, 2017. For reissues there's only time UNTIL September 13, 2018. Afterwards Google Chrome will display errors.
The next steps
Update: Starting January 10, 2018, we will gradually reissue the affected SSL certificates. We will inform our customers by e-mail about the exact process.
Notification for domain validated certificates
With the upcoming change from the Symantec PKI to the Digicert PKI the feature to change the approver email address for domain validated SSL certificates of the Symantec brands will be temporarily disabled by Symantec as of November 30.
This affects the following certificates:
- GeoTrust QuickSSL Premium
- RapidSSL Wildcard
- Thawte SSL123
According to our knowledge, this important feature shall be available again within 2 months after the PKI change has been processed. However, it might also be that it will not be disabled at all.We will inform you as soon as we have an update on this topic.
Google Chrome bug: Green bar missing for certain EV SSL certificates
Please note that the green address bar is not shown for Extended Validated (EV) SSL certificates signed using the DigiCert SHA-256 Intermediate & Root Hierarchy due to a bug in Google Chrome.
Issued to: DigiCert Global CA G2
Valid from: 08/01/2013 to 08/01/2028
Serial Number: 0c 8e e0 c9 0d 6a 89 15 88 04 06 1e e2 41 f9 af
Issued to: DigiCert Global Root G2
Valid from: 08/01/2013 to 01/15/2038
Serial Number: 03 3a f1 e6 a7 11 a9 a0 bb 28 64 b1 1d 09 fa e5
This is an issue that Google has acknowledged. A patch to fix this bug is expected to be released sometime in January 2018 (time may change). Affected are all Extended Validated SSL certificates of the Symantec brand family, including Geotrust and Thawte. As a workaround, the replacement (re-issue) of the EV SSL certificates is advised. The replacement certificate will be issued and signed by the DigiCert SHA-256 Intermediate under the DigiCert SHA-1 Root Hierarchy which is not affected by this Google issue.