Earlier this month, after roughly six months of deliberation and planning, Google finalised their plans for staged deprecation of Symantec certificates. The process began in March 2017 when Google had announced on the Blink mailing list that they had lost confidence about Symantec’s certificate issuance policies and practices of recent years. The initial deprecation proposal was very strict and looked like it would completely paralyse Symantec, ending with limiting their certificates to validity time of less than one year.
Over time, however, a different solution emerged and Symantec agreed to handle operations of their PKI to some other CA, selecting DigiCert for the role. In return, Google agreed to a deprecation plan that will still be difficult for Symantec, but allows them to resume issuance normally afterwards. Mozilla carried out their own investigation and decided to match Google’s actions and dates. In the final twist, Symantec decided to sell their certificate business to DigiCert.
From the end user perspective, the bottom line is that a fair share of Symantec certificates will expire early. There are two deprecation stages. First, certificates issued before June 2016 will stop working in March 2018, with Chrome 66. All remaining certificates will stop working in September 2018, with Chrome 70.
There are two deprecation phases because Symantec’s certificates issued from 1 June 2016 have been logged to public Certificate Transparency logs. It’s worth mentioning that, if you read the actual deprecation plans, you’ll find that there are many different dates and other milestones, because Chrome is released in stages, in alpha, beta, and stable channels. The dates we’ve adopted as milestones ensure that Chrome beta users won’t be affected. Overall, it’s always better to replace these certificates sooner rather than later.
The final important point is that, from December 1st, DigiCert will be issuing certificates on behalf of Symantec. These certificates will not be affected by either deprecation phase. Thus, if you want to stay with Symantec, you should only replace your current certificates from December onwards. If you decide to switch to another CA, you can replace your current certificates at any point before they are deprecated. According to Symantec, they are now working with DigiCert to replace all their existing certificates. If you’re a customer, you can contact Symantec (and their other brands, Thawte, RapidSSL and GeoTrust) for assistance.
To help our users with the transition, SSL Labs will start to warn whenever it encounters a leaf certificate issued from Symantec PKI that is affected by the deprecation. Starting with today, the warnings are on our development servers, and the production servers will follow soon.
Update February 2018:
Starting 1 March 2018, SSL Labs will give “T” grade for Symantec certificates issued before June 2016.
Starting 1 September 2018, SSL Labs will give “T” grade for all remaining Symantec certificates.