What to Do If Your Users Are Seeing Warning Messages in Chrome and Other Browsers

Here, you’ll find the information you need to replace your Symantec-issued certificates and stop user warnings from displaying on your site.

What is happening?

Google Chrome, Mozilla Firefox, and other major browsers are in the process of deprecating trust in certificates that were issued off Symantec Certificate Authority infrastructure. This includes Symantec, GeoTrust, Thawte, and RapidSSL certificates.

DigiCert will replace all affected certificates at no cost. Additionally, you do not need to switch to a new account or platform. Continue to use your current Symantec Website Security, GeoTrust, Thawte, or RapidSSL account to replace and order your SSL/TLS certificates. For a step-by-step guide to reissuing your certificates, skip to the bottom of this page.

What sites does this affect?

If your site is using a certificate in the Symantec group of brands that was issued before June 1, 2016, the Chrome 66 update is likely displaying warning messages to your users. For further details on the Chrome timeline, read our blog post.

If you have a certificate affected by this distrust, your users will see a warning that their “connection is not private,” as shown in the screenshot below.

Connection Not Private

How do I replace my affected certificates?

Follow these simple steps:

  1. Sign in to your existing Symantec, Thawte, GeoTrust, or RapidSSL account.
  2. Find the certificate(s) you need to replace.
  3. Create a CSR (certificate signing request).
  4. Select the replace/reissue certificate option.
  5. Submit your replacement/reissue request.
  6. As soon as DigiCert has revalidated/re-authenticated your domains and organizations (as required for the certificate type), we will reissue your replacement certificate.
  7. Install your SSL/TLS certificate.

Following these steps will give you the same branded certificate you’ve been using on your site, reissued on the trusted DigiCert infrastructure.

Brand-Specific Certificate Replacement Instructions

Symantec™ Complete Website Security
Symantec Managed PKI for SSL
Symantec Trust Center
Symantec Trust Center Enterprise
Thawte Certificate Center (TCC)
Thawte Certificate Center Enterprise (TCCE)
GeoTrust Security Center (GSC)
GeoTrust Enterprise Security Center (GESC)
RapidSSL Security Center

FAQs

If affected, you will receive a message (either email or phone call) from DigiCert, letting you know which certificates need to be replaced. If you want to take action now, reach out to your account representative or our Support team. Any impacted certificate will function properly until March 15, 2018, but to avoid potential issues we highly recommend you renew (if applicable) or replace any impacted certificates before March 15th.

If you’re within your 90-day renewal window, you should RENEW instead of replacing your affected certificate(s). Renewal will resolve the issue.

Our normal processing time is three to five days, however, it may take longer if we need you to provide more information. For example, when you replace your certificate, we will need to revalidate, which may require a verification call* or other validation checks. If we request an action from you, please comply as soon as possible to avoid delays. If you have multiple certificates for the same organization, subsequent requests should be issued faster if pre-validation was successful. FYI, we’re anticipating a high demand leading up to March 15th and through the first quarter. Request replacements or renewals as soon as possible.

*Note regarding verification call:
Verification calls normally happen within 24 hours after the replacement request has been placed. DigiCert will call a verified phone number to complete the organization validation and authentication.

Not necessarily. You should replace your certificate on the same portal or console where you made your original purchase.

Not necessarily. You should replace your certificate on the same portal or console where you made your original purchase.

Replace and reissue mean the same thing. Symantec and Thawte use replace; GeoTrust, RapidSSL, and partners use reissue. Revoke means the certificate is no longer usable, regardless of brand. If you get a message from us that uses replace or reissue, the action is the same: you need to get a new certificate to avoid distrust dates set by Google.

We recommend you focus on replacing your certificates that need to be replaced by the March 15th date at this time.

Your impacted certificate will only work until the distrust date. You should install your replacement certificate promptly.

After March 15, 2018, when users visit your website using Chrome or Firefox, they will see a browser warning that says the SSL/TLS certificate on your site is distrusted, and your site is not secure. It may look like the example below.

The distrust dates will apply to all certificates issued from VeriSign roots, including Symantec, Thawte, GeoTrust, and RapidSSL certificates.

No. Chrome and Firefox have a schedule to distrust these certificates, and we anticipate other browsers to make the same changes in the future.
For more information on Google’s (Chrome) statement, read here.
For more information on Mozilla’s (Firefox) statement, read here.

We recommend replacing your 3-year certificates before February 20, 2018, so you get their full validity period. As of March 1, 2018, Certificate Authorities will no longer issue 3-year OV and DV certificates. Additionally, all OV and DV replacement certificates issued after February 28, 2018 can only have a maximum validity of 825 days, regardless of how much time remains on the certificate order. See End of Life for 3-Year OV & DV Certificates.

We have updated our Privacy Policy which can be found here.