Google Chrome Phasing out Symantec CA Certificates

As a result of Symantec’s mis-issuance of end-entity certificates, Google Chrome, and other browsers such as Mozilla Firefox, are commencing a process of progressively distrusting Symantec CA certificates over time. Once a CA certificate is no longer trusted, Chrome users visiting sites configured to use end-entity certificates issued under the distrusted CA certificate will be prevented from viewing the site. This change has stemmed from an ongoing history of Symantec mishandling the issuance of X.509 certificates, which violated many browser vendors’ trust.

 

This process of progressively distrusting Symantec CA certificates will impact services (primarily web sites using https) configured to use end-entity certificates issued by Symantec and Symantec’s subsidiaries including Thawte, GeoTrust, RapidSSL, and VeriSign.

 

Symantec has announced they are transferring control of their certificate business to DigiCert, who will begin issuing certificates for Thawte, GeoTrust, RapidSSL, and Verisign in December.

 

Below is a timeline of Google Chrome’s phasing out process:

 

Timeline:

December 1, 2017 DigiCert will begin issuing new trusted Thawte, GeoTrust, RapidSSL, or Verisign certs.  Certificates obtained from DigiCert after this date will not be phased out by Chrome.
April 17, 2018 [approx.] Chrome 66 released, no longer trusts certificates issued by Symantec, or any certificate issued by Symantec CA subsidiaries prior to June 1, 2016.
October 23, 2018 [approx.] Chrome 70 released, no longer trusts any certificates issued by Symantec CAs prior to December 1, 2017.

 

If you manage desktops, you may experience an influx of reports of insecure sites starting mid-April 2018.

 

Actions to take:

 

If you manage web servers or web sites:

o    Check your sites to see if any are using a certificate issued by a Symantec CA – this includes Symantec, Thawte, GeoTrust, RapidSSL, and Verisign.

o    If your certificate is issued by Symantec or any of the Symantec certificate subsidiaries, including Thawte, GeoTrust, RapidSSL, or Verisign:

  • Certs issued prior to June 1, 2016 will be valid until April 17, 2018.  You may obtain a new copy of your cert, which will be trusted by Chrome until October 23, 2018 or the expiration date on the cert, whichever comes first.
  • Certs issued after June 1, 2016 will be valid in Chrome until October 23, 2018.
  • In either case, you will need to replace your cert with a new cert to avoid being impacted by the October 23, 2018 deadline.
  • Obtain a new copy of your cert from your existing CA after December 1, 2017.  This cert will be issued by the DigiCert infrastructure, and will be trusted by Chrome until the expiration date on the cert.  This is not an option for certs issued directly from Symantec.
  • Alternatively, you can switch to a new cert immediately provided it is issued by a trusted non-Symantec CA

o    If you need new certs, you can obtain no-cost certs from UBC IT by following the instructions here: https://confluence.it.ubc.ca/display/ITSecurity/how+to+obtain%2C+deploy+and+verify+an+X.509+certificate

 

If you have any questions, please contact security@ubc.ca

 

Additional Information:

https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html

https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/eUAKwjihhBs%5B1-25%5D