05 February 2018 Reading time: 4 minutes

Reissuing SSL-certificates by Symantec, GeoTrust, Thawte and RapidSSL

ISPSystem

Starting from December the 1st, 2017 Digicert certificate authority has started to issue certificates of Symantec group. Every SSL belonging to Symantec, GeoTrust, Thawte, and RapidSSL should be reissued in case if it was purchased prior to this date. The sooner - the better. In spring 2018 a new beta-version of Chrome browser is expected to be released. The new version will mark websites with the certificates issued before 12.01.2017 as unsecure. A stable version of Chrome will be released in autumn.

Google security concerns

Google cares about internet security. SSL/TLS-certificates provide an encrypted connection (HTTPS). Some SSL can also verify activity of a website owner. Protected connection is necessary for all websites collecting user data. This is why Google Chrome shows security alerts if the connection is not secure.

SSL-certificates are issued by the certificate authorities. Rules of the SSL issue are managed together with the community of Chromium, an open-source browser. The community unites Google, Yandex, and other companies. The community monitors these rules to be abided.

Google distrusts Symantec

In March, 2017 Google reported a violation of the rules by Symantec SSL-department causing a big scandal. The department issued SSL certificates with errors, creating a risk of fraudulent activity. Because of the fact that Symantec issues nearly a third of all certificates in the world, Google developed a gradual distrust plan for such certificates. The plan was supported by Mozilla.

After the scandal, Digicert had purchased the SSL business from Symantec. They had modified the certificates issue process and started to issue SSLs conforming to the rules. This is the reason why the Symantec certificates issued before 12.01.2017 should be reissued.

Possible actions and the timeline

Symantec group includes Symantec, GeoTrust, Thawte, and RapidSSL brands. If you have one of these certificates, you need to reissue it.

The right time to reissue your certificate depends on the moment of releasing the new version of Google Chrome that will mark Symantec certificates as insecure. At first, a beta version will be released, then - for a stable one. The beta version has a very limited user audience so you may focus on the stable.

The detailed plan is available at the security blog of Google. A simplified timeline looks like this:

SSL issue date
Due time for reissue
Before 06.01.2016
Before 04.17.2018 (beta - 15.03.2018)
Before 12.01.2017
Before 10.23.2018 (stable - 13.09.2018)

If your SSL-certificate expires before releasing the new version of Chrome, you don’t need to reissue it, just buy a new one after its expiration.

If you don’t remember some details about your certificate you may use SSL Checker service to check issue date, a certificate authority, and other important data.

A quick test to check if you need to take any emergency measures. Google Chrome browser can be used for the test.

  1. Open your website.
  2. Go to the Chrome menu and open Additional settings - Developer tools, then open a Security folder.
  3. If you see the green line saying “This page is secure (valid HTTPS)”, it means that you are good. However, if you see “This page is not secure”, you need to reissue the certificate.

How to reissue your certificate

A certificate reissue is a free service. If you purchased your SSL in ISPsystem, contact us via chat or in your Account area, or certificate authority or a reseller where you purchased your SSL. The reissue procedure is same as for issue a new certificate: you need to confirm your rights for the domain name and go through a check by a certification authority.

Important: SSL validity time won’t change after reissue.