SSL

Chrome and Firefox ending support for legacy Symantec certificates

Chrome and Firefox ending support for legacy Symantec certificates

From Google Chrome version 66 and Firefox 60 onwards, support for legacy Symantec certificates (certificates issued before 1 June 2016) will be suspended due to a number of issues. If your site uses one of these certificates this will result in the site not having the green lock and a warning being shown to your visitors. This affects certificates from the following providers as well, as they are (former) sub-companies/partners of Symantec: Thawte, VeriSign, Equifax, GeoTrust and RapidSSL.

How to check if your site uses a legacy Symantec certificate

We still see these certificates in use on a lot of sites. The Chrome update 66 is scheduled for April 2018, Firefox will show a warning from version 60 onwards which is scheduled for release in May 2018. There isn’t much time left to upgrade these certificates. You can check if your site is using one of these certificates by doing the following in Google Chrome:

  1. Go to your website
  2. Right-click on the page and click ‘inspect’
  3. In the developer console that opens, click on the ‘console’ tab

Any errors related to your website and certificate will be shown here. If the website uses a legacy Symantec certificate you will see the following warning in the Google Chrome developer console:

Symantec legacy certificate warning in developer console

If you see this warning we recommend to contact your hosting provider about upgrading the certificate.

Having a Symantec certificate after the Google Chrome update will result in the following warning: NET::ERR_CERT_SYMANTEC_LEGACY. For Firefox users the warning will be MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONTRAINT_FAILED.

The warning will look like this and will require users to manually bypass it before they can visit the site:

Symantec legacy certificate warning

The only way to fix this issue is to use another certificate that is not affected by this update.

What to do when your site uses a legacy Symantec certificate

We strongly advise to check if your site uses one of these certificates. If your site uses a certificate like this we recommend to contact your hosting provider so they can fix it by updating the certificate.

For more information from Google about this issue see https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html. Mozilla has written a blog for Firefox as well here: https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/

Related Articles

  • 2.3.10 release

    As WordPress 4.6 was due to release today, I was planning to release the new version of Really Simple SSL as well. No really big changes, but ‘ll list them...
  • Version 2.2 released

    Yesterday the new version was released. With support for per site activation on WordPress multisite, easy uninstall option, and even less overhead on the front-end, which was pretty good already...
  • Security review of Really Simple SSL

    I recently was asked on the WordPress support forums if Really Simple SSL is securely built. I always thoroughly check the code for possible security issues, and secure all posts...
  • New plugin published on WordPress: Guest Post Publisher

    Today I’ve released a new plugin on WordPress: Guest Post Publisher. Just like the name says, you can use it to let your website visitors post guest posts. The reason...