DigiCert Replacement of Symantec-Issued Certificates Reaches Milestone

Featured article by Jeremy Rowley, Head of Product at DigiCert, Inc.

Google and Mozilla announced a timeline last fall to gradually remove trust in Symantec root certificate authorities (CA), prior to DigiCert completing its acquisition of Symantec Website Security on Oct. 31, 2017. DigiCert began issuing trusted certificates for the Symantec, Thawte, GeoTrust and RapidSSL brands on Dec. 1, 2017, after satisfying browser requirements for replacing Symantec backend systems and processes with DigiCert ones. Since that time, DigiCert has issued millions of certificates, including both new and free replacement certificates. Today, the vast majority of Symantec brand certificate holders have taken corrective action.

In fact, DigiCert has reached a major milestone: Less than 1 percent of the top 1 million sites have yet to replace Symantec-issued certificates affected by upcoming browser distrust action. Mozilla released figures from its latest telemetry report earlier this week showing 1 percent with certificates to be untrusted.

Affected customers can handle replacement similar to a typical renewal, with a couple of clicks in the portal where they made their original purchase. There is no need to learn new systems or work with new account representatives. Certificate replacements are free and extended through the original validity period.

DigiCert created an easy-to-use web tool to identify impacted certificates. Entering a domain name will confirm if and when a Symantec-issued certificate needs to be replaced by DigiCert. This tool also will help organizations identify certificates that will be affected by the Chrome 70 release later this year, which occurs around the same time as Firefox’s distrust of all remaining Symantec-issued certificates.

Additional steps taken by DigiCert over the last several months, and still underway, to raise awareness among affected customers include:

– Sending a series of nearly 600,000 emails to customers reminding them of deadlines, necessary action items and information
– Establishing an outbound call center, and calling all affected customers
– Displaying reminder messages in multiple languages in the portals customers use to order and manage certificates
– Hosting multiple webinars, with the latest held yesterday.
– Posting documentation in multiple languages for replacing Symantec-issued certificates

DigiCert is currently focused on helping customers replace certificates issued by Symantec before June 2016, which are due to be distrusted in Chrome 66 and Firefox 60. All certificates issued by Symantec from June 1, 2016 through Nov. 30, 2017 will also lose trust in the release of Chrome 70 and Firefox 63. Chrome 70 canary release is currently scheduled for July 20, beta for Sept. 13 and stable around Oct. 16. DigiCert’s work to help customers meet the current deadlines has prepared it to handle the next phase of certificate replacement. All certificates issued by DigiCert for Symantec, Thawte, GeoTrust and RapidSSL brands after Dec. 1, 2017 are fully trusted by the browsers.