Executive Summary
- Purchase a certificate from the recommended organisation: Digicert
- Install new certificate files on each web server
Summary of the Situation
The Chrome team no longer trust previously issued Symantec certificates, and DigiCert have been selected as the new primary provider of SSL certificate infrastructure.
Symantec will maintain their role as an issuer of certificates, but DigiCert will manage the ‘Managed Partner Infrastructure’ on their behalf.
Technically Symantec are now selling certificates with this ‘new’ infrastructure, so certificates purchased from them can be renewed.
However, given the situation we recommend going straight to DigiCert.
April 17th 2018:
Chrome 66 scheduled for release, which removes trust in Symantec-issued certificates issued prior to June 1st 2016
October 23rd 2018:
Chrome 77 is scheduled for release, which removes trust in all ‘old’ Symantec-issued certificates issued on or after June 1st 2016
How to check SSL Certificate Status
Step 1) Visit the website using Chrome
Step 2) Open Developer Tools and refresh
(CTRL+SHIFT+I) ← (letter i, not L) or F12
Step 3) Review the Console
If the SSL certificate in use was issued prior to June 1st 2016, the console will display this message: (M66, must be replaced by mid April)
If the SSL certificate was issued on or after June 1st 2016, the console will display this message: (M70, must be replaced by mid October)
Full Background Information
Google Security Blog – Chrome’s Plan to Distrust Symantec Certificates
This article provides a full overview of the situation.
Key details: