DigiCert will now allow Symantec CA customers to renew up to seven months early
Though I’m tempted to start this post by saying that, “if you haven’t been living under a rock you likely know about the Symantec-Google distrust,” I realize for the majority of people – those who don’t work in cybersecurity or sell cybersecurity products – that isn’t true. This whole situation with Symantec has been a huge deal within a certain space, but outside of it – there hasn’t been much attention.
That’s probably owed to the fact that digital certificates are exceedingly boring.
For many people, the first they had heard that Google was distrusting Symantec CA Brand (Symantec, RapidSSL, GeoTrust & Thawte) SSL certificates was a couple weeks ago when their website starting getting browser warnings. So let’s talk about how we got here and how DigiCert is now prepared to make this right for Symantec customers.
Why is Google distrusting Symantec CA SSL certificates?
Pull up a chair and let me tell you about a time before certificate transparency and CAA records, when the digital certificate landscape was like the wild, wild west. The time was 2015, and Google came to Symantec with some issuance problems. Unfortunately, Symantec’s response didn’t satisfy Google and when some more mis-issuances came to light, followed by evidence of lax oversight of regional authorities that were handling validation in certain geographical locations, Google and the other browsers decided they just couldn’t trust Symantec’s PKI anymore and would need to distrust every SSL certificate that had been issued from it.
Now, there are three ways to look at this. The first is the browsers’ perspective. Symantec had demonstrated across several situations that it didn’t have proper oversight over its issuance practices and that created a degree of risk with regard to its PKI and the possibility that other mis-issuances had gone unreported. Ergo, the entire PKI needs to be distrusted. Also, an example needs to be made out of a big CA.
Symantec, on the other hand, pointed out the scale of the reported issues was minute. 33 mis-issued test certificates, by Symantec’s count. Zero real-world harm. It’s like finding a small scratch on a car’s fender and then arguing that by virtue of the scratch, we can no longer trust you take care of the rest of the car, including what’s under the hood, so it needs to come off the road. It seems excessive because it is a little excessive.
Then there’s the third perspective: everyone else’s. That is, “a bunch of squabbling nerds drinking designer juice in Silicon Valley just cost me time and money.”
In the real world, nobody cares about a bunch of test certificates or the conduct of a regional authority in a distant time zone, they care that the product they paid for isn’t functioning like it’s supposed to. It doesn’t matter who’s fault it is, or why. What matters is that we fix this with minimal friction.
DigiCert is lending a hand to Symantec customers
As part of Symantec’s agreement with Google and the other browsers, DigiCert acquired the Symantec CA last Fall and began issuing digital certificates for Symantec in December. Since then, DigiCert has been steadily working to replace the SSL certificates that Google is eventually going to distrust.
The first group of certificates was distrusted a couple weeks ago with the latest release of Chrome. That leaves one final group of SSL certificates that will be distrusted on October 23rd.
Unfortunately, for that group of customers, many were getting the absolute $#%& end of the stick because their certificates are set to expire weeks after they re-issue them. In other words, because it’s too early to renew, they would be stuck re-issuing and re-installing, and then doing much the same thing a couple months later when they renewed.
Fortunately, DigiCert is giving you a pass. The renewal window for Symantec CA SSL certificates issued before December 1, 2017 is now seven months, meaning you can renew today and just be done with this entire distrust thing.
Best of all, DigiCert will round up the time you have remaining, up to seven months. So if you renew with six and a half months to go, DigiCert will issue you a certificate with seven months carried over. Unfortunately, because of the CAB Forum baseline requirements, this is only good for one year renewals, owing to the 825 day max validity.
But still, if you’re a Symantec CA customer and you need to re-issue before the October final distrust, DigiCert has a way for you to renew now and put all of this ugliness behind you.
Stay cautious, my friends…