Skip to main content
banner image
venafi logo

Symantec Certificate Distrust Timeline: Are You Prepared?

Symantec Certificate Distrust Timeline: Are You Prepared?

Symantec Certificate Distrust
October 24, 2017 | Mike Dodson

It appears the dust has begun to settle between Google and Symantec.

Roughly six months ago, researchers affiliated with Chrome claimed that the Symantec certificate authority (CA) mis-issued thousands of transport layer security (TLS) certificates. As a result, Chrome would no longer trust Symantec’s certificates.

The web and security juggernauts spent months discussing and debating Google’s report and distrust schedule. My colleague Paul Turner wrote an informative blog series on Google’s decision and its impact on the industry, be sure to check them out for more information on how this situation has evolved.

Now, Chrome researchers Devon O’Brien, Ryan Sleevi and Andrew Whalley formally announced the browser’s plan to distrust Symantec’s certificates.

Back in March, Kevin Bocek, chief security strategist for Venafi, shared his thoughts on the Google vs. Symantec debate. He believes that ultimately, this incident is not a unique occurrence and we should expect similar events in the future.

“This is a giant wake-up call for every business,” wrote Kevin. “Most organizations don’t have the agility required to move, add or change certificates, keys or CAs in response to external issues like this one. The best possible outcome is that businesses will realize they are going to have to figure out how to deal with not just this issue, but other issues like it. The only other alternative is to be victimized by these events.”

Google’s final distrust timeline is below. Be sure to give it a careful review so that your organization will be prepared for any potential impact before the deadline passes.

  • Now through ~March 15, 2018
    Site Operators using Symantec-issued TLS server certificates issued before June 1, 2016 should replace these certificates. These certificates can be replaced by any currently trusted CA.
  • ~October 24, 2017
    Chrome 62 released to Stable, which will add alerting in DevTools when evaluating certificates that will be affected by the Chrome 66 distrust.
  • December 1, 2017
    According to Symantec, DigiCert’s new “Managed Partner Infrastructure” will at this point be capable of full issuance. Any certificates issued by Symantec’s old infrastructure after this point will cease working in a future Chrome update.

    From this date forward, Site Operators can obtain TLS server certificates from the new Managed Partner Infrastructure that will continue to be trusted after Chrome 70 (~October 23, 2018).

    December 1, 2017 does not mandate any certificate changes, but represents an opportunity for site operators to obtain TLS server certificates that will not be affected by Chrome 70’s distrust of the old infrastructure.
  • ~March 15, 2018
    Chrome 66 released to beta, which will remove trust in Symantec-issued certificates with a not-before date prior to June 1, 2016. As of this date Site Operators must be using either a Symantec-issued TLS server certificate issued on or after June 1, 2016 or a currently valid certificate issued from any other trusted CA as of Chrome 66.

    Site Operators that obtained a certificate from Symantec’s old infrastructure after June 1, 2016 are unaffected by Chrome 66 but will need to obtain a new certificate by the Chrome 70 dates described below.
  • ~April 17, 2018
    Chrome 66 released to Stable.
  • ~September 13, 2018
    Chrome 70 released to Beta, which will remove trust in the old Symantec-rooted Infrastructure. This will not affect any certificate chaining to the new Managed Partner Infrastructure, which Symantec has said will be operational by December 1, 2017.

    Only TLS server certificates issued by Symantec’s old infrastructure will be affected by this distrust regardless of issuance date.
  • ~October 23, 2018
    Chrome 70 released to Stable.

Does your organization have the agility to meet Chrome’s demands?


Like this blog? We think you will love this.
wildcard certificates
Featured Blog

Wildcard Certificates Make Encryption Easier, But Less Secure

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Mike Dodson
Mike Dodson

Mike is VP of World-Wide Customer Security Strategy and Solutions at Venafi. With an MS in Engineering and nearly 20 years experience, his skillsets include data analysis, taking products to market, aligning business and technical requirements, UI/UX design and public speaking.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more