Google Distrusting Symantec Issued Security Certificates


Image: Distrust of the Symantec PKI: Immediate action needed by site operators

Does your website still have a security certificate issued by Symantec? If so, there is a strong possibility that users attempting to access your site will soon be seeing a warning about the connection not being private.

For some time now the discovery of security deficiencies and subsequent malpractices by trusted resellers of Symantec certificates has led to great concern: In 2015 Google detected that a certificate, not requested by Google, was issued to the domain (see Google’s blog post: Improved Digital Certificate Security ). Another blog post,  Sustaining Digital Certificate Security, revealed that Symantec performed an audit were they discovered that “an additional 164 certificates over 76 domains and 2459 certificates issued for domains, were never registered”.

Google has since lost trust in Symantec and no longer trusts any certificate issued by Symantec’s legacy infrastructure.

A blog post by Google Security bloggers in September 2017 confirmed this and warned that Chrome would reduce and ultimately remove its trust in the Symantec certificate authority (including brands such as Thawte and Verisign) (Chrome’s Plan to Distrust Symantec Certificates).

In another post in March this year, the expected timelines were published and site operators were urged to take action before it is too late (Distrust of the Symantec PKI: Immediate action needed by site operators ). This blog post also outlined how site operators could determine whether they would be affected by this deprecation and warned that failure to replace these certificates would result in site breakage in upcoming versions of major browsers, including Chrome.

From as early as July 2018 users will start to see certificate errors on affected sites and by January 2019 the Legacy Symantec PKI will be distrusted for all users.

How to test if your website is site at risk:

  1. Install / update your Chrome to the latest version (use the Canary release of Chrome if you’d like to test on the edge without updating your current Chrome version);
  2. At the top of the address bar you should see a green bar indicating your site is using SSL;
  3. Press F12 to open the Chrome Debugger;
  4. Open the Console tab;
  5. If you see the following warning, you’ll have to get a new certificate soon:




And then?

DigiCert has now acquired Symantec’s Website Security Business and Related PKI Solutions. Any certificates issued by Symantec’s ‘old’ infrastructure will no longer be valid from December 2018. This does not mean that you will no longer get Symantec certificates, you will just need to get them from DigiCert who is now the trusted Certificate Authority.

Get in contact with your current certificate reseller to find out how to obtain a new valid certificate, or purchase your certificates from another reseller.

Secure your sites and be safe!

Charl Thiem is the IT Infrastructure Manager at OPENCOLLAB.

Contact OPENCOLLAB @ for advice!

Leave a Reply


Some advertising for @sakaiproject and @tsugiproject at #ela18 in Rwanda at the end of September!…

Last week



Belvedere Office Park, Bella Rosa Street,
Rosenpark, Bellville, South Africa
Phone: +27 21 970 4000
Fax: +27 21 914 3098
Qmuzik building,
cnr of Leonie and Von Willich Streets
Doringkloof, Centurion, South Africa
Phone: +27 12 640 3517