Chrome and Firefox to Distrust Symantec's SSL Certificates by the End of 2018
SSL certificates are responsible for ensuring a secure HTTPS connection between the user and a website.
After the HTTPS connection has become imperative for every website, SSL certificates also need to comply with the existing security requirements and practices in relation to validation and issuance procedures.
As usual, the leading web browser providers – Google (Chrome) and Mozilla (Firefox) have initiated a significant debate.
Their security teams detected flaws in the SSL certificates issued by one of the leading certifying companies - Symantec. The flaws are observed in the issuing authority’s infrastructure as obviously there are certain standards and practices not followed in the issuance and validating processes.
Symantec is a leading certificate issuing authority which uses a few well-renowned brands – RapidSSL, GeoTrust and Thawte. All certificates issued by these brands are now compromised.
As a leading provider of SSL/TLS solutions DigiCert will offer up-to-date, fast and secure infrastructure that can comply with all the requirements and standards for the issuance of SSL certificates. After the acquisition of Symantec, DigiCert announced that as of December 1, 2017 all certificates will be reissued trough the new infrastructures as the service will be completely free.
DigiCert is already reissuing certificates for Symantec customers as of December 1, 2017. The SSL certificates issued by DigiCert after this date are fully supported and trusted by Chrome and Firefox.
After numerous discussions concerning the compromised certificates, Google and Mozilla set up a strategy for distrusting Symantec.
The strategy’s final goal will be reached when by the end of 2018 the two browser’s latest versions will completely distrust the Symantec certificates.
Google and Mozilla's Strategies for the Symantec Certificates
Although the two strategies have the same target and final date, their implementation differs a bit.
- Chrome 62 (October 2017) allows you to see if there are deficiencies in the certificate and it will be distrusted in Chrome 66; the notification is visible in Dev Tools;
- Chrome 66 (April 2018) will remove trust in Symantec-issued certificates issued prior to June 1, 2016;
- Chrome 70 will be released in October 2018 as it will fully remove trust in Symantec’s old infrastructure and all of the certificates it has issued.
- Firefox 58 (January 2018 ): Notices in the Developer Console will warn about Symantec certificates issued before June 1, 2016;
- Firefox 60 (May 2018): Websites will show an untrusted connection error if they have a certificate issued before June 1, 2016;
- Firefox 63 (October 2018): Distrust of Symantec certificates issued through the old infrastructure.
How to Reissue a Symantec SSL Certificate?
You can submit a request for reissuing your SSL certificate by going to your customer profile and accessing menu SSL Certificates. Select the Details option right next to the certificate. Click on Reissue SSL certificate and follow the steps.
You do not need to enter any information to reissue the certificate. After clicking on Reissue, you will receive a verification email to confirm reissuing the certificate.
Reinstalling the New SSL Certificate in cPanel
After the certificate has once been issued, you will only need to reinstall it.
If you are using cPanel, you can install the new certificate by going to SSL/TLS -> Install and Manage SSL for your site (HTTPS) and click on Manage SSL sites.
To install a new certificate go to Install an SSL Website section and select the domain from the drop-down menu. Enter the new code in the following three fields CRT, KEY, CABUNDLE and finish the installation with Install Certificate. You will see a message that the certificate has been successfully installed.