Replacing SSL (Secure Socket Layer) Certificates affected by browser distrust

The popular internet browsers Google Chrome and Mozilla Firefox have recently announced their plans to distrust any SSL certificates issued by the company Symantec before December 1st 2017. An SSL certificate is an important aspect of a website that handles sensitive, personal information. Symantec’s Web Security and other PKI solutions have been taken over by the company DigiCert – this acquisition will result in DigiCert updating and modernizing several aspects of the Symantec model. However, in the meantime, Chrome and Mozilla have decided to remove trust in Symantec SSL certificates until these updates are completed.

SSL certificates from IONOS

Protect your domain and gain visitors' trust with an SSL-encrypted website!

Easy to activate
Proven safety
24/7 assistance

Why are these SSL certificates being targeted?

Chrome and Mozilla’s decision to distrust SSL certificates results from a small number of discrepancies in SSL certificates issued by them between 2015 and now. The main criticism was about Symantec’s ability to ensure a proper authentication process for SSL certificates. Debates between Symantec and the browser community have spread over several months and have concluded with two main action points laid down by Google Chrome and later confirmed by Mozilla:

  1. Symantec must partner up with another Certificate Authority to run the SSL authentication and issuance processes from a new infrastructure.

  2. All SSL certificates issued from prior Symantec roots will be distrusted and need to be replaced without extra cost following phased timeline.

Shortly after this decision, Symantec sold their SSL business to Digicert and started issuing fully compliant SSLl certificates from their new CA infrastructure on December 1st 2017.

While Chrome and Mozilla may be acting in the interest of their customers safety, there are a number of browsers such as Internet Explorer, Safar and Opera who are choosing not to display warning messages to visitors, as they do not believe the threat to be as serious as Chrome and Mozilla claim. Regardless of severity of the security risk, plenty of website operators may have their website affected by this campaign of distrust.

When will SSL certificates be affected?

Chrome will begin issuing security warnings on the April 16th, 2018 to Chrome 66 (and later) users when they try to access a Symantec SSL-encrypted website. This warning will appear on all Symantec SSL certificates issued before the June 1st, 2016. From October 2018, Chrome 70 (and above) users will also receive the message on all sites that contain Symantec SSL certificates issued before December 1st, 2017. The warning message simply states that the data exchange may be unsafe. Visitors can accept the warning and continue on to the website unimpeded: the website’s functionality will remain unaffected. There is no risk to any data on your website being compromised.

Key replacement dates as outlined by Google.
Google Chrome have announced a timeline for when SSL certificates need to be renewed.

How do I know if my certificate is affected?

In order to work out whether or not your website’s SSL certificates will be affected by this change, you will need to check the validity of the certificate. There are a number of online tools that can help you assert the validity of your SSL certificates – simple research, select and download your program to check their certificate validity. Alternatively, checking the validity through your own browser is quite straightforward. Here, we will show you how to check whether your SSL certificates are in date or not on Google Chrome and Mozilla Firefox.

Google Chrome

To check the status of your SSL certificate on Chrome, select the icon next to the URL. This may be a green lock (connection secure), a yellow exclamation mark (no certificate provided), a blank page icon (this website does not need prior authentication), a lock icon with a yellow triangle (certificate provided, but security standard is low) or a red padlock (site has certificate issues).  Click on the icon present and a window will pop up with an option to view the certificate:

Checking the validity of your certificate on Chrome.]
Checking the validity of your certificate on Google Chrome is easy.

Go to the “Details” tab in the second popup window and you will be able to find the validity period dates for the website’s certificate.

Mozilla Firefox

The process for checking the validity of an SSL certificate on Mozilla Firefox is more or less the same as checking on Chrome. Next to the URL should be a security icon – either a green padlock (secure), gray padlock with a yellow exclamation triangle (connection may not be secure) or a gray packlock with a red line through it (connection not secure). Clicking on the security icon will bring up a small pop up window:

Checking the validity of your certificate on Firefox.
Checking the validity of your certificate on Mozilla Firefox is almost identical.

Simply click on the arrow next to the website connection information and another window will pop open. In the General tab of the pop up window, the Period of Validity will be on display at the bottom.

Replacement Timeline & Actions Required

The timeline consists of two phases which match Google Chrome 66 & 70 version releases:

Replacement dates timeline.
Overview of the replacement timeline for SSL certificates.

Phase I –Certificates issued before June 1st 2016 will be distrusted by Chrome 66. You will need to renew SSL certificates issued before this date on before March 15th 2018.

Phase II – If your SSL certificate was issued after December 1st, 2017 then there is no need to reissue it. Certificates issued before December 1st 2017 will be distrusted by Chrome 70. Any SSL certificates issued before this date will need to be replaced by September 13th 2018. With Chrome 66 you may already notice a warning in Chrome Developer Tools:

Chrome Developer Tools Warning.
Chrome 66 users may already be experiencing this warning message.

If the SSL certificate is not replaced before Chrome 70 is released, then your customers will no longer be able to access your site:

Chrome 70 user warning.
Chrome 70 users may already be experiencing this warning.

Taking Action

All affected SSL certificates need to be replaced through a Reissue operation. This provides a new certificate for the same domain, with the same expiration date as the one replaced.

Note

If your certificate expires before Sept 13th 2018 (Chrome 70 beta), there’s no need to take any action.

Symantec/DigiCert are offering affected customers a new SSL certificate free of charge.

You will need to create a CSR (Certificate Signing Request) for each of the certificates you wish to replace/have reissued, which is a standard procedure for sending DigiCert your public key, information about your company and your domain name. Submit your request, and once DigiCert have revalidated your domains and organizations, you will receive the new certificate which you can install.

Related articles

HPKP: What is behind the public-key pinning extension for HTTP

HPKP: What is behind the public-key pinning extension for HTTP

  • Security

SSL/TLS certificates play an increasingly important role in the transmission of sensitive data. They guarantee that data packets reach the desired addressee without any detours. Problems only arise when internet users are deliberately redirected by invalid certificates from dubious certification bodies – a scenario that can be prevented using so-called HTTP public key pinning (HPKP).

HPKP: What is behind the public-key pinning extension for HTTP
Internet security: secure websites with SSL and HTTPS

Internet security: secure websites with SSL and HTTPS

  • Website creation

The topic of data security is becoming increasingly important for both private users as well as in the business world. As a website owner, you should take all the necessary precautions to ensure that a visit to your site is as secure as possible. Converting your site from HTTP to HTTPS or SSL is an important first step to securing your website and gaining your customers’ trust.

Internet security: secure websites with SSL and HTTPS
Sitemaps – Here’s what you need to know

Sitemaps – Here’s what you need to know

  • Website creation

Sitemaps belong to the standard features of a website, but they seem to be gradually disappearing from the World Wide Web. Some online presences hide the navigation file or even forgo it completely. We explain why search engines like Google still give sitemaps a lot of attention, how important sitemaps are for SEO as a result, and how you can create sitemaps yourself – manually or with a sitemap…

Sitemaps – Here’s what you need to know
SSL certificates: What they are and what they’re for

SSL certificates: What they are and what they’re for

  • Website creation

Security on the internet is always paramount: regardless of whether you run a website yourself or just surf the web, you should always understand the basics of internet security. Here we explain exactly what SSL certificates are, what you need them for, and the different types of certificates that are out there.

SSL certificates: What they are and what they’re for
HSTS: How the HTTPS expansion works

HSTS: How the HTTPS expansion works

  • Web development

HTTPS, the network protocol for TLS-encrypted data transfer online can be circumvented in some cases. The danger is that encrypted websites can be accessed via unencrypted HTTP. But the HTTPS extension HSTS (HTTP Strict Transport Security) forces website access via TLS encryption, closing the security gaps that hackers like to use to intercept the HTTPS connection during transport using…

HSTS: How the HTTPS expansion works
We use cookies on our website to provide you with the best possible user experience. By continuing to use our website or services, you agree to their use. More Information.