SSL

Chrome and Firefox ending support for legacy Symantec certificates

Chrome and Firefox ending support for legacy Symantec certificates

From Google Chrome version 66 and Firefox 60 onwards, support for legacy Symantec certificates (certificates issued before 1 June 2016) will be suspended due to a number of issues. If your site uses one of these certificates this will result in the site not having the green lock and a warning being shown to your visitors. This affects certificates from the following providers as well, as they are (former) sub-companies/partners of Symantec: Thawte, VeriSign, Equifax, GeoTrust and RapidSSL.

How to check if your site uses a legacy Symantec certificate

We still see these certificates in use on a lot of sites. The Chrome update 66 is scheduled for April 2018, Firefox will show a warning from version 60 onwards which is scheduled for release in May 2018. There isn’t much time left to upgrade these certificates. You can check if your site is using one of these certificates by doing the following in Google Chrome:

  1. Go to your website
  2. Right-click on the page and click ‘inspect’
  3. In the developer console that opens, click on the ‘console’ tab

Any errors related to your website and certificate will be shown here. If the website uses a legacy Symantec certificate you will see the following warning in the Google Chrome developer console:

Symantec legacy certificate warning in developer console

If you see this warning we recommend to contact your hosting provider about upgrading the certificate.

Having a Symantec certificate after the Google Chrome update will result in the following warning: NET::ERR_CERT_SYMANTEC_LEGACY. For Firefox users the warning will be MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONTRAINT_FAILED.

The warning will look like this and will require users to manually bypass it before they can visit the site:

Symantec legacy certificate warning

The only way to fix this issue is to use another certificate that is not affected by this update.

What to do when your site uses a legacy Symantec certificate

We strongly advise to check if your site uses one of these certificates. If your site uses a certificate like this we recommend to contact your hosting provider so they can fix it by updating the certificate.

For more information from Google about this issue see https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html. Mozilla has written a blog for Firefox as well here: https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/

Related Articles

  • Next step in Google’s push for an all SSL internet

    Since this january, many of you may have received a notification from Google Search Console about non-secure pages where passwords or creditcard data are being submitted. Beginning in January 2017,...
  • Improved multisite support for Really Simple SSL

    This Monday I noticed Really Simple SSL has passed 200 000 active installs! While 100 000 was a milestone, the speed in which the 200 000 was reached is a...
  • Checklist for migrating to SSL

    When people migrate to SSL, they tend to forget a few things, that can cause worries. So, I will make a short list here of the most important things you...
  • Really Simple SSL Social 3.0

    Recently Really Simple SSL Social 3.0 has been released. The changes that have been made in version 3.0 have to do with the look and feel of the built-in sharing...