The time has come (and gone) to replace your Symantec certificates

By Shaun Ewing · · 1 min read · Tech

In January, 2017 a posting to the mozilla.dev.security.policy newsgroup raised the possibility that Symantec have been issuing certificates that have not been subject to the necessary validations.

As a result of this incident and a continuing pattern of issues over the past few years the Chrome team announced that they have lost confidence in the trustworthiness of Symantec’s certificate infrastructure and as a result of this the Chrome browser would no longer trust Symantec-issued certificates from prior to June 1, 2016 as of the Chrome 66 release.

Last week that day has arrived and Chrome 66 was released to the general public. My installation like many others was updated automatically:

Chrome Updated

Having long since replaced all of the Symantec certificates across my own infrastructure (primarily with AWS Certificate Manager issued certificates) I will admit that these changes completely slipped my mind until I started getting errors browsing web sites that I frequent — everything from my local council to various news and social sights that I access.

If you’re still using Symantec certificates — now is the time to replace them if you haven’t already done so. Chrome will begin distrusting all certificates issued on the old Symantec infrastructure from Chrome 70 (due October), and Firefox will also start showing warnings with the release of Firefox 60 in the next few weeks.

References