A final call for replacing security certificates using Symantec roots

Help Net Security sat down with Jeremy Rowley, Executive Vice President of Product at DigiCert. He leads the company’s product development teams serving its TLS and digital certificate clients for web communications and emerging markets clients that require security solutions for the Internet of Things, U.S. federal healthcare exchange, advanced Wi-Fi, and other innovative technology sectors.

replacing security certificates using Symantec roots

The stable release of Google Chrome 70 is coming up this month. This means that sites with remaining Symantec certificates will be flagged as untrusted. What does this mean for end users, organizations, and the information security industry?

In 2017, Google and Mozilla deemed Symantec’s controls over their PKI insufficient to continued operation within the browser root store and put in place a plan for gradual distrust of Symantec roots. Other browsers followed suit. On Oct. 31, 2017, DigiCert completed its acquisition of Symantec Website Security and put in place a plan, approved by browsers, to issue new certificates for Symantec brands and replace those to be distrusted by reissuing them on our trusted roots. Google’s plans included three critical dates, and we are now in the final stage of Google’s plan with the release of Chrome 70. The dates were:

  • December 2017 – One month after the DigiCert – Symantec deal closed, validation and issuance of new Symantec-brand certificates were transitioned to DigiCert’s PKI. No changes are required by the customers of either of the two companies except that all new issuance required revalidation of the customer information using a DigiCert verification process.
  • March 2018 – Chrome 66 beta distrusted all certificates issued by Symantec prior to June 1, 2016.
  • October 2018 – Chrome 70 stable will distrust all certificates issued from the Symantec PKI. When released, the stable version of Chrome will feature untrusted warnings for any certificates still using Symantec roots.

Visitors of a website that doesn’t migrate to DigiCert’s PKI prior to the required timelines will have a warning that their communication is not private. Fortunately, we’ve been taking extensive efforts to help provide a simple replacement process, and it’s working. As of mid-September, only between 1-2 percent of leading sites (Alexa 1 million base domains) had yet to get a replacement, and the replacements continue to accelerate. We are in a good place leading up to the Chrome 70 stable release currently scheduled for mid-October.

What advice would you give to those that are still deploying Symantec-issued certificates?

Our advice for any business still deploying a Symantec-issued certificate is to replace the certificate with a DigiCert certificate, for free, before users receive a warning in the browser. Anyone using a certificate issued from Symantec’s roots that includes any of its other brands, including Thawte, GeoTrust or RapidSSL, should replace the certificate now. DigiCert is offering to help customers make the transition with free replacements of Symantec-issued TLS certificates to extend trust through the end of the licensing period from the original purchase.

As a company, DigiCert has undertaken an unprecedented outreach with millions of emails and calls to educate customers about the potential impacts and solutions offered by DigiCert and have created instructions to help customers replace their SSL/TLS certificates. We simplified the process of replacing certificates, all while setting up an enhanced verification process and increasing the scalability of our PKI. We have also beefed up our validation staff and given them extensive training. The majority have already moved forward with replacements, but we are ready to help those who have yet to act.

What has been DigiCert’s main focus since completing the acquisition of Symantec Website Security and related PKI solutions in late 2017?

Since completing our acquisition of Symantec Website Security and related PKI solutions last year, we’ve invested an enormous amount of time and devoted the necessary resources to minimize the impact of the browser’s distrust of Symantec certificates on our customers and partners. This first required replacing all Symantec backend systems with our own architecture and re-validating customers.

By completing this major effort, we have been able to manage the large volume of replacement certificates without notable delays for customers after the initial flurry of replacements began in December 2017. Our communications to customers have been extensive and we’ve worked hard to simplify the process.

DigiCert delivers certificate management and security solutions for the majority of the Global 2000. How do you see certificate management evolving in the near future?

As businesses accelerate digital transformation, they see new classes of physical assets that are connected to the Internet and require security. Organizations are challenged by the scale of their security needs (think IoT), the availability of highly trained workers and the rapidly growing attack vectors. Certificate management is critical for organizations, but it’s outside the regular workflow for many, including developers and IT managers. Companies need automation with certificate procurement, issuance, provisioning and renewals and we help simplify the lifecycle with technology and our API integrations.

Enterprise customers look for more than one-off issuance. They need a partner who can understand their workflows and provide automated management systems that fit their work cultures. They need a vendor with the expertise to track evolving threats and help them stay up-to-date. That has always been our focus at DigiCert and will continue to be. Customer first is our mantra.

What makes DigiCert unique in the marketplace? What are your strengths?

DigiCert was built around customer experience when our founders determined that acquiring and installing a digital certificate should be easier. That’s always been our focus: Innovating with customer-friendly product offerings, numerous platforms and tools to simplify certificate management, and a 24/7 customer support team to handle specific needs immediately and in a knowledgeable way.

We’ve also been very involved in industry standards work, which helps our customers stay at the forefront of evolving practices that address real-time risks. As an industry leader, we are constantly working to improve certificate ecosystems. For example:

  • No CA can match our global support, with staff speaking dozens of languages and offices around the world to offer localized services. We also have the largest concentration of talent and innovators working on improving industry standards and enhancing our technology.
  • We have built a modern, scalable infrastructure capable of reliably hosting the billions of certificates that the IoT and other connectivity requires. We also are working with others to advance forward-looking solutions such as quantum-safe cryptography and improved validation and trust within communities like blockchain.
  • We support increased transparency around validation methods used to issue digital certificates, including which method was used to validate a particular certificate. We believe that any details about the issuance of digital certificates that does not need to be private should be public. We created a ballot that was passed in the CA/Browser Forum and continue to drive positive change.
  • We are huge fans of automation and are working hard to support improved methods and tools to make it easier to manage certificates.
  • And it doesn’t stop there, but stay tuned for more.

Don't miss