What’s Happening with Symantec SSL Certificates?

Michael PhillipsYou may have recently read one of the many confusing or seemingly contradictory articles about the Symantec vs. Google grudge match that’s been going on for some time now. If not, here’s the problem in a nutshell:

Google found a troubling number of bad SSL certificates issued by Symantec – bad meaning they had issued certs for google.com and other high profile domains, but they issued them to people who were not Google, etc. Symantec said they were just test certificates used by internal staff, and they never left their four walls. But the fact remained that the certs were valid and could potentially cause a lot of trouble.

Google took issue with the fact that the certs were issued at all, and accused Symantec of sloppy housekeeping. They said to Symantec, “You need to prove to the world that you can clean up your act or we’re going to stop trusting your certs.” Symantec basically replied, “Oh, stop being so dramatic,” and Google said, “Oh yeah? We’ll show you dramatic,” and issued notices giving the exact dates when they would stop trusting the Symantec certs.

 

 

Okay, that’s not exactly how it went down, but it’s not that far from what really happened. Just imagine the above in barely polite corporate speak and you’re pretty much there.

In any event, you’re probably wondering what it all means if you have a Symantec SSL certificate (and if you use a RapidSSL, GeoTrust QuickSSL or GeoTrust True BusinessID certificate – which is what we issue – you are using a Symantec certificate).

The short answer: nothing.

It’s not likely that you’ll experience any problems related to the dust up.

Why?

Because Symantec sold their certificate business to a company that Google does trust. So the Symantec name will continue on, but the certificates will be issued by the “new” Symantec and trusted by Google. And unless you bought your current certificate a long time ago, it will be re-issued by the new Symantec when you renew it, so you won’t notice a thing.

Again, if you pay for your SSL certificate every year, this probably doesn’t apply to you, but just for the sake of completeness, here are the actual dates and what happens when:

 

For certificates issued before June 1st, 2016

The Chrome browser will no longer trust this certificate after March 15, 2018. In order to retain trust by the Chrome browser, you need to replace this certificate.

  • If the certificate expires before March 15th, 2018, you don’t need to do anything. The certificate will continue to be trusted by Chrome until it expires.
  • If the certificate expires after March 15th, 2018, but before September 13th, 2018, you can re-issue this certificate any time before March 15th, 2018.
  • If the certificate expires after September 13, 2018, you have to re-issue the certificate before March 15, 2018.

 

For certificates issued after June 1st, 2016

The Chrome browser will no longer trust this certificate after September 13, 2018.

  • If the certificate expires before September 13th, 2018, you don’t need to do anything. The certificate will continue to be trusted by Chrome until it expires.
  • If the certificate expires after September 13th, 2018, you have to re-issue the certificate before September 13th, 2018.
  • If you have purchased a certificate after December 1st, 2017, the Chrome browser will trust this certificate. You do not have to re-issue.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.