Fewer Symantec customers will be affected, prepare for changes coming 2018.
In March, Google’s Chrome team announced that it had a problem with Symantec for violating industry standards related to SSL certificate issuance. This has been discussed cooperatively over the last 4 months by Google, Symantec, and other members of the internet community
Last night, Chrome and Symantec announced their final plan to move forward. And the August 8th, 2017 deadline that was originally proposed is no longer in play.
If you operate a website that uses a Symantec SSL certificate, please read this post to see if future versions of Chrome will affect your specific certificate and how you can replace that certificate (for free) before anything goes into effect. This applies to substantially less Symantec customers than originally proposed, and this post contains guidance on how to remedy the problems (if any) and avoid any issues.
Note that this article is for owners and/or administrators of websites that use Symantec portfolio certificates. If you are an ‘every day’ user of the internet and Chrome, there is nothing you need to do on your end.
Will I be affected?
If you are a current user of Symantec certificates or plan to purchase one in 2017, this could affect you.
As a leading Certificate Authority, there are more than an ideal amount of Symantec SSL certificates will be affected. Note that Symantec operates multiple brands, all of which are affected:
Also, note that Mozilla Firefox will be taking a similar course of action, but at this time they have not committed to a final plan.
No need to panic – no changes will take effect until 2018, so there is still plenty of time to prepare.
Chrome will remove trust for Symantec certificates in question in two stages. The first stage will affect certificates issued before June 1, 2016. The second stage will affect all Symantec certificates issued from their current root certificates – including certificates not yet issued.
In order to comply with Google’s plan, you will need to replace existing Symantec certificates through a free re-issuance and reinstallation process. You will be able to do this with minimal interruption.
Note: Our customers will be receiving email updates notifying them of their needed action. If you are unsure if you are affected by this, or what certificates will be affected, this information will be identified in these emails. If you purchased your certificate from another provider, check with them to see if your certificates are affected.
Why is this Happening?
As a result of standards violations, Google Chrome has decided that Symantec’s current root certificates, which act as the “root” of trust for their SSL products, need to be reconsidered by Chrome. At issue is the mis-issuance of a group of test certificates. Google has used this as an excuse to argue that all Symantec certificates are now suspect.
We feel that was an overreaction, but Symantec and The SSL Store™ have already put plans in place to quickly guide our customers through this process with minimal interruptions to your day-to-day business.
As a result of Google’s position, many Symantec SSL certificates will eventually no longer be trusted by Chrome and will receive errors if used for HTTPS if the proper course of action is not taken.
The will occur in two stages, one beginning in April 2018, and a second occurring in October 2018 (we will cover the details of these changes in the following section).
However, please note that Symantec will be able to continuously issue trusted certificates by using different technical infrastructure.
Symantec will first partner with another managed Certificate Authority (CA), who will issue certificates in Symantec’s name starting in December of this year. That partner will continue to handle the issuance of certificates while Symantec submits its new root certificates to browsers.
This will allow Symantec to continuously issue trusted certificates without interruption throughout the entirety of Chrome’s announced changes.
The long-term plan will see Symantec’s new roots widely distributed to devices which will allow them to begin issuing certificates on their own.
The next section summarizes the timeline.
When Do I Need To Take Action?
Chrome’s gradual distrust of existing Symantec certificates in question will occur in two stages, coinciding with the release of Chrome version 66 and Chrome version 70. Version 61 is currently in use,
When Chrome 66 is released (expected in mid-April 2018) all Symantec certificates issued before June 1st, 2016, will no longer be trusted if proper action was not taken. This means users of Chrome 66+ will not be able to make an HTTPS connection with your site and will receive a warning.
The second stage will occur with the release of Chrome 70 (expected late October 2018). All Symantec certificates issued from their current roots will be distrusted on this date if proper reissuance action was not taken.
Depending on the issuance and expiration dates of your current certificate, you may need to replace your Symantec certificate in order to remain trusted throughout this period. This may depend on the timeliness of Symantec’s future PKI improvements.
How to Prepare
To make this full series of events digestible, we have broken the information down into a timeline.
The two stages of Chrome’s distrust, which serve as deadlines, are bolded to clearly show the difference between general information and actionable items.
|(Approximate) Date||Chrome Version||What happens?||How to prepare?|
|October 24th, 2017||62||Chrome 62 will display a message in Developer Tools to help identify certificates which will be affected by distrust in Chrome 66.||Visit your websites with the Developer Tools panel open – this will allow you to identify which websites will be affected by distrust in Chrome 66.|
|December 1st, 2017||N/A||A partnered Certificate Authority (CA) will begin issuing certificates for Symantec||As an end user, you may notice some small changes in the issuance process.
From a technical standpoint, this date is significant because it marks beginning of the “new” Symantec certificates.
Certificates issued after this date will be issued from different roots and will not be affected by Chrome’s dis-trust.
|April 17, 2018||66||All Symantec certificates issued before June 1st, 2016, will no longer be trusted by Chrome.
Certificates issued after June 1st, 2016 are not affected at all in this release.
|Replace any Symantec certificates issued before June 1st 2016 by this date.
This can be done by reissuing your certificate for free from your provider and installing the new certificate in place of the old one.
If your certificate expires around this time (April-June) you may want to consider renewing it, instead of reissuing, to avoid two replacements within a short time frame.
|Oct 28th, 2018||70||ALL certificates issued by Symantec with their existing infrastructure will no longer be trusted by Chrome.||Starting December 1st of this year, you will be able to receive new certificates from Symantec that are issued by their partner Certificate Authority.
These certificates, from a technical standpoint, will be issued by another CA and will continue to be trusted by Chrome.
Starting in the stable version of Chrome 62, a message will be added to the Developer Tools panel when a certificate that will be distrusted in Chrome 66 is encountered. Developers can use this functionality to ensure they identify certificates on their websites that will be affected.
You can also download Chrome “Canary”, an early release that allows you to preview upcoming features. Chrome 66 will be available from the Canary channel in January, giving you the ability to access your websites as they will appear to users in Chrome 66 Stable later that year.
Our Recommended Plan of Action
To reduce the amount of disruption and effort required, we recommend the following action:
If your certificate expires BEFORE December 2017…
We recommend you renew (instead of reissue) your certificates prior to December. This will allow you to have a trusted certificate in place through the holiday season up until Oct 2018 when all certificates from Symantec’s existing roots will have an issue and need to be replaced.
If your certificate expires DURING December…
We recommend you consider replacing your certificate now to avoid interruption. Currently, Symantec hopes to have their partner CA issuing certificates on December 1st (a Friday). If you can wait to reissue and replace your certificates until after this occurs, you will most-likely never need to replace your certificates again until their natural expiration date.
However, note that delays may occur which require Symantec to miss the December 1st estimate, and there may be an unusually high volume of issuance at that time which could cause technical issues.
If that is the case, if you are cutting it close to the expiration of your current certificate you may risk outages. ‘Holiday freezes’ may also prevent you from replacing certificates during this month.
If you do need to replace your certificate before Symantec’s partner CA is ready to issue certificates, you will need to replace the certificates again before Chrome 70’s release (expected late Oct 2018).
If your certificate expires AFTER December 31st, 2017…
We recommend you wait to replace any of your certificates until Symantec’s partner CA begins issuing certificates (expected December 1st, 2017)
After this date you can begin reissuing and replacing certificates as needed. If your certificate expires before March 30th,, 2018, renewing your certificate early will be the simplest course of action.
This will allow you to replace your certificate only one time. Certificates issued by Symantec’s partner CA will not be affected by Chrome’s changes and will not need to be replaced until their natural expiration.
Special Case: If your certificate was issued BEFORE June 1st, 2016 and expires AFTER April 17th, 2018…
You fall into a special case. Your certificate must be reissued and replaced BEFORE the release of Chrome 66, which is expected April 17th, 2018 in order to remain trusted in Chrome.
However, you should wait until after December 1st 2017 to reissue your certificates. On this date, Symantec’s partner CA will begin issuing certificates. By waiting until this date you will only need to replace your certificate one time.
If you reissue before Symantec’s partner CA is available, your certificate will come from one of Symantec’s current root certificates and will need to be replaced against before October 2018.