Google will begin distrusting Symantec issued SSL certificates starting with Chrome 66 – which will be rolled out to Chrome Beta users in March and Stable users in April of this year. On October 23, 2018 Google will kill all trust in any Symantec SSL certificates with the roll out of Chrome 70. The decision to ultimately remove all trust in Symantec comes after repeated incidents by the company that caused the “Chrome team to lose confidence in the trustworthiness of Symantec’s infrastructure”.
In response to the announcement by Google, Symantec decided to sell their PKI business to DigiCert which will operate a newly formed “Managed Partner Infrastructure”. By December 1, 2017 the issuance and operation of all publicly-trusted certificates was transitioned to DigiCert.
What does this mean for site operators? If you are a using an SSL certificate issued by Symantec prior to the December 1, 2017 change over to DigiCert, you will want to obtain a replacement certificate from a new authority that is trusted by Chrome.
Below is a reference timeline from Google with more information and dates to keep in mind.
|Now through March 15, 2018||
Site Operators using Symantec-issued TLS server certificates issued before June 1, 2016 should replace these certificates. These certificates can be replaced by any currently trusted CA.
|March 15, 2018||
Chrome 66 released to beta, which will remove trust in Symantec-issued certificates with a not-before date prior to June 1, 2016. As of this date Site Operators must be using either a Symantec-issued TLS server certificate issued on or after June 1, 2016 or a currently valid certificate issued from any other trusted CA as of Chrome 66.
Site Operators that obtained a certificate from Symantec’s old infrastructure after June 1, 2016 are unaffected by Chrome 66 but will need to obtain a new certificate by the Chrome 70 dates described below.
|April 17, 2018||Chrome 66 released to Stable.|
|September 13, 2018||
Chrome 70 released to Beta, which will remove trust in the old Symantec-rooted Infrastructure. This will not affect any certificate chaining to the new Managed Partner Infrastructure, which Symantec has said will be operational by December 1, 2017.
Only TLS server certificates issued by Symantec’s old infrastructure will be affected by this distrust regardless of issuance date.
|October 23, 2018||Chrome 70 released to Stable.|