Symantec CA Brand SSL certificates issued before December 1, 2017 can be renewed 210 days before expiration
DigiCert has increased its partner renewal window from 90 to 210 days for all Symantec CA Brand SSL certificates issued before December 1, 2017. If you haven’t been keeping close tabs on the SSL industry – which goes for the vast majority of people – that sentence may read a little bit strangely to you, so here’s some background.
Dating back to 2015, really, Symantec CA Brand (Symantec, GeoTrust, Thawte & RapidSSL) has been involved in a dispute with Google and the other web browsers regarding some mis-issuance problems. Over several months during the Spring and Summer of 2017, Symantec and Google hammered out an agreement wherein Symantec would sell its CA business to DigiCert, who would then issue digital certificates with its own PKI. DigiCert finalized the acquisition of the Symantec CA last Fall and began issuing certificates for the Symantec CA brands in December.
Here’s the part you may have heard about. Google is distrusting Symantec CA SSL certificates that were issued off the old PKI. The first group of Symantec customers had until April 17 – ten days ago – to re-issue their SSL certificates with DigiCert or face a browser distrust. That deadline has now come and gone, and anyone with a Symantec SSL certificate that was issued before June 1, 2016 has been distrusted. The next, and final group of customers – anyone with a Symantec CA brand SSL certificate issued before December 1, 2017 – has until Septemember 13, 2018 to re-issue with DigiCert, lest they face distrust too.
Unfortunately, for some users, this means they will need to re-issue their SSL certificates, and then weeks later renew them too. That’s a lot of extra effort, and it’s potentially magnified if you’re managing more than one certificate. To help with this issue, DigiCert is extending its renewal window for its partners (not direct customers) for this affected set of certificates from 90 to 210 days, as Tobias Zatti explained in a blog post yesterday.
For some of you reading this, reissuance can be a lot of work, especially when a certificate expires just a couple weeks or months after it’s been reissued. To mitigate this, we increased our renewal window for 1-year renewals for all certificates issued before 1 December 2017 across the GeoTrust, Symantec, RapidSSL, and Thawte brands. This means you can now and renew these certificates up to 210 days before expiration.
Once again, this is only for DigiCert partners. Because of the CAB Forum’s baseline requirements, this is only good for one year certificate renewals, owing to the max validity of 825 days. But DigiCert is throwing in a bonus, they’ll round up your time to the nearest full month when your renew early. So if you renew with four and a half months left, DigiCert will give you credit for five months on your new certificate.
In addition, DigiCert has also improved its bulk re-issuance tool. This is for resellers or enterprises that need to re-issue large batches of certificates at once. The tool can now resend DCV emails and fulfillment emails. DigiCert plans to announce the next updates to its platform on May 14th.