Moving away from Symantec Certificate Authorities

by Gavin Porter

An ever-growing number of security issues have been identified with certificates issued by Symantec Certificate Authorities (CAs) over recent years. Affected certificates include the brands Thawte, VeriSign, Equifax, GeoTrust, RapidSSL and FreeSSL. Even if you bought your certificate through somebody else, you may still be holding an affected certificate, thanks to reseller arrangements.

Security concerns have mounted to the point where the major browsers have collectively agreed to gradually stop trusting Symantec certificates. Also, Symantec's PKI services have been sold to DigiCert who will be migrating customers to their infrastructure.

Changes to how browsers treat these certificates will take place as follows:

December 2017 - Symantec expects to complete transfer of services to DigiCert CA infrastructure. Any new certificates issued after 1 December by the old infrastructure will not be trusted by browsers.

April/May 2018 - Chrome 66 (planned for April) and Firefox 60 (planned for May) - stop trusting certificates issued by a Symantec CA prior to 1st June 2016.

October 2018 - Chrome 70 and Firefox 63 will totally stop trusting certificates issued by the old Symantec CA infrastructure.

Key industry players have also agreed to a plan to facilitate faster migrations to new certification standards, such as when SHA-1 was deprecated. This means that from 1st March 2018, commercial CAs will no longer issue 3 year certificates, which will lead to better security for everyone.

We recommend public sites switch to Let’s Encrypt issued certificates which are configured to automatically renew. You should make this change well before the Symantec changes start to be rolled out.

There are no ongoing costs after the initial configuration work has been performed and Let’s Encrypt certificates are fully trusted.

If you would like assistance to implement Let's Encrypt, we'd be glad to help. Please contact us.