Chrome and Firefox ending support for legacy Symantec certificates
From Google Chrome version 66 and Firefox 60 onwards, support for legacy Symantec certificates (certificates issued before 1 June 2016) will be suspended due to a number of issues. If your site uses one of these certificates this will result in the site not having the green lock and a warning being shown to your visitors. This affects certificates from the following providers as well, as they are (former) sub-companies/partners of Symantec: Thawte, VeriSign, Equifax, GeoTrust and RapidSSL.
How to check if your site uses a legacy Symantec certificate
We still see these certificates in use on a lot of sites. The Chrome update 66 is scheduled for April 2018, Firefox will show a warning from version 60 onwards which is scheduled for release in May 2018. There isn’t much time left to upgrade these certificates. You can check if your site is using one of these certificates by doing the following in Google Chrome:
- Go to your website
- Right-click on the page and click ‘inspect’
- In the developer console that opens, click on the ‘console’ tab
Any errors related to your website and certificate will be shown here. If the website uses a legacy Symantec certificate you will see the following warning in the Google Chrome developer console:
If you see this warning we recommend to contact your hosting provider about upgrading the certificate.
Having a Symantec certificate after the Google Chrome update will result in the following warning: NET::ERR_CERT_SYMANTEC_LEGACY. For Firefox users the warning will be MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONTRAINT_FAILED.
The warning will look like this and will require users to manually bypass it before they can visit the site:
The only way to fix this issue is to use another certificate that is not affected by this update.
What to do when your site uses a legacy Symantec certificate
We strongly advise to check if your site uses one of these certificates. If your site uses a certificate like this we recommend to contact your hosting provider so they can fix it by updating the certificate.
For more information from Google about this issue see https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html. Mozilla has written a blog for Firefox as well here: https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/