Vast Majority of Symantec Certificates Already Replaced: DigiCert

Less than 1% of the top 1 million websites have yet to replace Symantec-issued certificates before major browsers distrust them, DigiCert announced this week.

Last year, DigiCert bought the Certification Authority (CA) business run by Symantec, one of the oldest and largest CAs, after a series of issues observed over the past couple of years triggered major browser vendors to announce plans to remove trust in digital certificates issued by the CA.

Later this year, both Chrome and Firefox will stop trusting certificates issued by Symantec, and others might follow suite. The move will affect all certificates issued before DigiCert acquired the Symantec CA division, including those issued under the GeoTrust, RapidSSL, Thawte, and VeriSign brands.

DigiCert, which said last year it would ensure the newly acquired division won’t repeat previous errors, is determined to help all websites owners get replacement certificates and says the process is nearly complete.

Less than 1% of the top 1 million sites still use Symantec-issued certificates that will be affected by upcoming browser distrust action. According to DigiCert, it is ready to help their owners get replacement certificates before the beta releases of Firefox 60 and Chrome 66 in the next couple of months.

“Certificates replaced by DigiCert ahead of Chrome 66 distrust timelines will also satisfy Mozilla Firefox requirements,” the company says.

Last year, Google announced plans to distrust all Symantec certificates with the release of Chrome 70, while Mozilla said earlier this week it would make a similar move with the release of Firefox 63 in October 2018.

In preparation for this action, DigiCert started issuing trusted certificates for the Symantec, Thawte, GeoTrust and RapidSSL brands on Dec. 1, 2017. Since then, the company has issued millions of certificates, including new and free replacement certificates and says that “the vast majority of Symantec brand certificate holders have taken corrective action.”

To receive replacement certificates, customers need to go through a typical renewal process in the portal where they made the original purchase. DigiCert offers the certificate replacements for free, extended through the original validity period.

A web tool is available to help identify impacted certificates: simply entering a domain name confirms whether it runs a Symantec-issued certificate that needs to be replaced. The tool can help organizations identify any certificate affected by the release of Chrome 70 and Firefox 63 later this year.

All Symantec certificates that were issued before June 2016 are set to be distrusted in Chrome 66 and Firefox 60, set to arrive in April and May, respectively. Certificates Symantec issued between June 1, 2016 and Nov. 30, 2017 will be distrusted in Chrome 70 and Firefox 63, both set for an October release.

“We’ve been working hard for months to make sure that customers are aware of the Chrome and Mozilla deadlines and that they can replace Symantec-issued certificates through us for free. Through comprehensive communications and tools in multiple languages, alongside our partners, we are continuing to provide instructions and the simplest replacement path available for those who still need to act,” Jeremy Rowley, chief of product for DigiCert, said.

All of the certificates that DigiCert has issued for Symantec, Thawte, GeoTrust and RapidSSL brands since Dec. 1, 2017 are fully trusted by the browsers.

Related: Firefox 63 to Distrust All Symantec Root Certificates

Related: 23,000 Digital Certificates Revoked in DigiCert-Trustico Spat