Skip to main content
banner image
venafi logo

Are You Prepared to Find and Replace Your Symantec Certificates?

Are You Prepared to Find and Replace Your Symantec Certificates?

Find Symantec Certificates
November 28, 2017 | Sandra Chrust

You may have heard about Google’s intent to distrust Symantec certificates. But you might not know what that actually means for your organization. Ultimately, you will have to find, replace, and validate all certificates in your organization that chain up to a Symantec root. And you’ll have to do it all sooner than later, before your websites are flagged as untrusted.

Here’s how we got to this point. On 23 March 2017, Google staff software engineer Ryan Sleevi announced that the Chrome team had observed a "series of failures by Symantec Corporation to properly validate certificates." The mis-issuance originally involved just 127 certificates issued by Symantec, an American software security company which also manages its own Certificate Authority (CA). However, further investigation revealed that the failures applied to at least 30,000 certificates.

Google responded by proposing "an incremental distrust, spanning a series of Google Chrome releases, of all currently-trusted Symantec-issued certificates, requiring they be revalidated and replaced." Users will have until 15 March 2018 to replace any Transport Layer Security (TLS) certificates issued by Symantec prior to 1 June 2016. They can do so by purchasing a new certificate from the Norton anti-virus software provider or from another reputable CA.

How will this impact your organization? Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, thinks that's easier said than done for some organizations. As he wrote in a blog post:

"This is a giant wake-up call for every business. Most organizations don’t have the agility required to move, add or change certificates, keys or CAs in response to external issues like this one. The best possible outcome is that businesses will realize they are going to have to figure out how to deal with not just this issue, but other issues like it. The only other alternative is to be victimized by these events."

Organizations wishing to meet Chrome's demands must have the ability to find every installation of all certificates that chain up to Symantec. That means they will need to locate certificates from potentially dozens of CAs from which they've purchased a digital certificate. Such a process would consume significant time and resources if performed manually.

What you can do about it?

Fortunately, companies can save themselves unnecessary effort using Venafi Cloud. The solution provides customers with a list of Symantec-issued certificates as well as the installation locations of all electronic documents that chain up to a Symantec root certificate. With this knowledge, organizations can begin requesting replacement certificates manually, or they can configure Venafi Cloud to automate the replacement certificate issuance process through Venafi's integrations with SaltStack, Docker, or Terraform DevOps. Whichever replacement method they choose, enterprises will spare themselves potential downtime, associated brand damage, and lost revenue.

For more information on how to find and replace Symantec certificates before Google Chrome and Mozilla Firefox start issuing security errors, please download this free report

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

DevOps, SSL, TLS certificates

Accelerate DevOps by Offering a Certificate Service for CI/CD Pipelines

HashiCorp Vault, DevOps certificates, DevOps
DevOps

Oh, How I Love My Hashi (Vault)

tls certificate, DevOps process
DevOps

Dealing with TLS Certificates in DevOps

About the author

Sandra Chrust
Sandra Chrust

Sandra Chrust writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat