Website Security
Product Activity Log

What’s new and what we’re working on – May 23, 2018

importantUrgent action for org and domain validation
 

Remember to respond to email and phone requests to validate your orgs and domains. Pass this reminder on to your Symantec Website Security account owners, org contacts, and domain owners.

As part of the DigiCert acquisition of Symantec Website Security Services, we are reauthenticating your orgs and domains to confirm proper ownership. It’s inconvenient but necessary to maintain security and trust for your customers, your business, and the web. Thanks for your patience and attention to this!

Complete Website Security and Managed PKI for SSL

importantImportant dates and activity

What’s happening?

When?

What do I need to do?

Google Chrome distrust of Symantec SSL/TLS

  • On March 15, Google Chrome started showing warnings for sites secured by Symantec SSL/TLS certificates that were issued before June 1, 2016.
  • Your security and data are not at risk, but the Chrome warning may discourage visitors from continuing to your site.

March 15, 2018

  • Immediately replace or renew Symantec, Thawte, GeoTrust, and RapidSSL certs that were issued before June 1, 2016.
  • Help expedite re-issuance of your certs – Make sure your account contacts, org contacts, and domain owners check their email – including domain email accounts like admin@example.com – and respond to org and domain validation requests.

OCSP and CRL update for legacy Symantec certs

  • For security and compliance best practices, we are updating the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) infrastructure for legacy Symantec TLS and code signing certificates.

May 2018

  • Make sure clients inside your network can access the new OCSP and CRL resources. Browsers, devices, and other clients that can’t access the new resources may encounter warnings or errors. Check your firewall and access control policies.
  • No action needed if network access policy defines full domain names instead of IP addresses, or if there is no access policy.

Code signing and private SSL authentication and root hierarchy migration

  • We’re continuing to consolidate and simplify our authentication and issuance processes, now to include code signing and Private SSL certs.
  • We’ll also introduce a new DigiCert root hierarchy for code signing certs.

Coming in 2018 (date TBD)

  • Update your development and validation environments with the new DigiCert code signing intermediate CAs and roots. Make sure you have the latest roots.
  • Otherwise no action needed:
    • New certs are automatically issued from the new DigiCert CA.
    • Existing certs signed by the Symantec CA remain valid until expiration.
  • No impact to your business if you don’t manage code signing certs or a private CA.

What’s happening?

Google Chrome distrust of Symantec SSL/TLS

  • On March 15, Google Chrome started showing warnings for sites secured by Symantec SSL/TLS certificates that were issued before June 1, 2016.
  • Your security and data are not at risk, but the Chrome warning may discourage visitors from continuing to your site.

When?

March 15, 2018

What do I need to do?

  • Immediately replace or renew Symantec, Thawte, GeoTrust, and RapidSSL certs that were issued before June 1, 2016.
  • Help expedite re-issuance of your certs – Make sure your account contacts, org contacts, and domain owners check their email – including domain email accounts like admin@example.com – and respond to org and domain validation requests.

What’s happening?

OCSP and CRL update for legacy Symantec certs

  • For security and compliance best practices, we are updating the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) infrastructure for legacy Symantec TLS and code signing certificates.

When?

May 2018

What do I need to do?

  • Make sure clients inside your network can access the new OCSP and CRL resources. Browsers, devices, and other clients that can’t access the new resources may encounter warnings or errors. Check your firewall and access control policies.
  • No action needed if network access policy defines full domain names instead of IP addresses, or if there is no access policy.

What’s happening?

Code signing and private SSL authentication and root hierarchy migration

  • We’re continuing to consolidate and simplify our authentication and issuance processes, now to include code signing and Private SSL certs.
  • We’ll also introduce a new DigiCert root hierarchy for code signing certs.

When?

Coming in 2018 (date TBD)

What do I need to do?

  • Update your development and validation environments with the new DigiCert code signing intermediate CAs and roots. Make sure you have the latest roots.
  • Otherwise no action needed:
    • New certs are automatically issued from the new DigiCert CA.
    • Existing certs signed by the Symantec CA remain valid until expiration.
  • No impact to your business if you don’t manage code signing certs or a private CA.

What’s new?

Complete Website Security 4.5 and Managed PKI for SSL are live on May 8!

  • Quickly replace certs at risk of Google Chrome distrust – In certificate management views and search results, admins can replace legacy Symantec certs with just a couple of clicks. The replacement request uses the previous CSR to generate the replacement cert.
  • Identify Symantec certs at risk of Google Chrome distrust – Managed PKI for SSL reports now include the intermediate CA info so you can find your legacy Symantec-issued certs. Already available in Complete Website Security.
  • Enter new challenge phrase on certificate replace - In the CWS console, the standard cert replacement process previously asked for the last challenge phrase. Now the admin only needs to enter a new challenge phrase for the replacement cert. Since the admin is already signed in, the old challenge phrase is not necessary for user validation. Not applicable to MSSL and subscriber services.
  • VICE2 API updates – Generate and pick up a new admin ID with a CSR; filter reports by common name or email address; update certificate subscriber information including custom fields.
  • Account and certificate notifications now from digicert.com – Account and certificate lifecycle notifications (CWS and MSSL) and discovery and automation notifications (CWS) now have a From address from digicert.com instead of symantec.com. Check your spam filters or whitelists to make sure you continue to get critical CWS and MSSL notifications.

Other updates

  • EV green address bar for SHA-256 full chain certs restored in Chrome 66 – Latest stable release of Google Chrome fixes a bug that prevented the green address bar from displaying on sites with Extended Validation (EV) certs signed with SHA-256 full chain (SHA-256 signing on certificate, intermediate(s), and root).
  • Complete Website Security - Sensor installation and certificate discovery support for Red Hat Enterprise Linux 7.4 and Microsoft Windows Server 2016.
  • Complete Website Security – Agent installation and certificate automation support for Red Hat Enterprise Linux 7.4.
  • API developer documentation – The Website Security Developer Portal has moved to DigiCert at https://docs.digicert.com/api-developer-portal/. The developer portal on symantec.com will redirect to DigiCert for a limited time, so update your bookmarks soon.

What’s coming up?

Complete Website Security 4.6 and Managed PKI for SSL (expected May 31, 2018)

  • Update certificate custom fields – In the CWS console, keep additional cert info up-to-date after initial enrollment. Under Additional information in the detailed cert view, edit any custom field. Already available in Managed PKI for SSL.
  • Identify vulnerabilities per page scanned – Vulnerability assessment report will include specific points of weakness per page, instead of only a summary of vulnerabilities found on the website. The report will also include step-by-step attack proof-of-concept and recommended solutions for discovered vulnerabilities.
  • Minimize network traffic from vulnerability and malware scans – Vulnerability assessment will run a complete scan once a month. Malware services will check your domain against a trusted blacklist of malicious websites, instead of scanning your domain every day.
  • CWS console help – The CWS help portal is moving to https://docs.digicert.com/cws/ and console links to the portal will be updated. Visit the help portal for getting started, tutorials, general console usage, and support contact info.

Secure App Service

importantImportant dates and activity

What’s happening?

When?

What do I need to do?

OCSP and CRL update for legacy Symantec certs

  • For security and compliance best practices, we are updating the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) infrastructure for legacy Symantec TLS and code signing certificates.

May 2018

  • Make sure clients inside your network can access the new OCSP and CRL resources. Browsers, devices, and other clients that can’t access the new resources may encounter warnings or errors. Check your firewall and access control policies.
  • No action needed if network access policy defines full domain names instead of IP addresses, or if there is no access policy.

Code signing and authentication and root hierarchy migration

  • We’re continuing to consolidate and simplify our authentication and issuance processes, now to include code signing certs.
  • We’ll also introduce a new DigiCert root hierarchy for code signing certs.

Coming in 2018 (date TBD)

  • Update your development and validation environments with the new DigiCert code signing intermediate CAs and roots. Make sure you have the latest roots.
  • Check for email and phone requests from DigiCert for additional organization info. Prompt response ensures continued service.
  • Otherwise no action needed:
    • New certs are automatically issued from the new DigiCert CA.
    • Existing certs signed by the Symantec CA remain valid until expiration.

End-of-life for GeoCenter Android code signing

  • To streamline our authentication and issuance platforms with DigiCert's processes and trust hierarchies, and to remove dependencies on legacy Symantec systems, we are discontinuing Android code signing available through the GeoCenter portal and CSPub APIs.

August 1, 2018

What’s happening?

OCSP and CRL update for legacy Symantec certs

  • For security and compliance best practices, we are updating the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) infrastructure for legacy Symantec TLS and code signing certificates.

When?

May 2018

What do I need to do?

  • Make sure clients inside your network can access the new OCSP and CRL resources. Browsers, devices, and other clients that can’t access the new resources may encounter warnings or errors. Check your firewall and access control policies.
  • No action needed if network access policy defines full domain names instead of IP addresses, or if there is no access policy.

What’s happening?

Code signing and authentication and root hierarchy migration

  • We’re continuing to consolidate and simplify our authentication and issuance processes, now to include code signing certs.
  • We’ll also introduce a new DigiCert root hierarchy for code signing certs.

When?

Coming in 2018 (date TBD)

What do I need to do?

  • Update your development and validation environments with the new DigiCert code signing intermediate CAs and roots. Make sure you have the latest roots.
  • Check for email and phone requests from DigiCert for additional organization info. Prompt response ensures continued service.
  • Otherwise no action needed:
    • New certs are automatically issued from the new DigiCert CA.
    • Existing certs signed by the Symantec CA remain valid until expiration.

What’s happening?

End-of-life for GeoCenter Android code signing

  • To streamline our authentication and issuance platforms with DigiCert's processes and trust hierarchies, and to remove dependencies on legacy Symantec systems, we are discontinuing Android code signing available through the GeoCenter portal and CSPub APIs.

When?

August 1, 2018

What do I need to do?

What’s new?

Secure App Service live on April 26!

  • Java and Android signing services upgraded to Jarsigner 8 – To remove the vulnerabilities associated with JDK 1.6, we upgraded our JRE and SDK to JDK 1.8. This change is not expected to cause any service disruptions for you.
  • Efficiency improvement on Secure App Service cloud storage - All test-signed files are automatically purged after 30 days from the date they were signed.
  • Get specific status responses for EV certs through the API – Responses for the EV cert status API request (getEVCertificateStatus) are now consistent with the SAS portal: Valid, Expired, Revoked, Deactivated, Failed.

Other updates

  • API developer documentation – The Website Security Developer Portal has moved to DigiCert at https://docs.digicert.com/api-developer-portal/. The developer portal on symantec.com will redirect to DigiCert for a limited time, so update your bookmarks soon.

What’s coming up?

  • No info at this time. Check back soon.

Partners and Resellers

importantImportant dates and activity

What’s happening?

When?

What do I need to do?

Google Chrome distrust of Symantec SSL/TLS

  • On March 15, Google Chrome started showing warnings for sites secured by Symantec SSL/TLS certificates that were issued before June 1, 2016.
  • Your security and data are not at risk, but the Chrome warning may discourage visitors from continuing to your site.

March 15, 2018

  • Immediately replace or renew Symantec, Thawte, GeoTrust, and RapidSSL certs that were issued before June 1, 2016.
  • Help expedite re-issuance of your certs – Make sure your account contacts, org contacts, and domain owners check their email – including domain email accounts like admin@example.com – and respond to org and domain validation requests.

OCSP and CRL update for legacy Symantec certs

  • For security and compliance best practices, we are updating the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) infrastructure for legacy Symantec TLS and code signing certificates.

May 2018

  • Make sure clients inside your network can access the new OCSP and CRL resources. Browsers, devices, and other clients that can’t access the new resources may encounter warnings or errors. Check your firewall and access control policies.
  • No action needed if network access policy defines full domain names instead of IP addresses, or if there is no access policy.

Code signing authentication and root hierarchy migration

  • We’re continuing to consolidate and simplify our authentication and issuance processes, now to include code signing certs.
  • We’ll also introduce a new DigiCert root hierarchy for code signing certs.

Coming in 2018 (date TBD)

  • Update your development and validation environments with the new DigiCert code signing intermediate CAs and roots. Make sure you have the latest roots.
  • Otherwise no action needed:
    • New certs are automatically issued from the new DigiCert CA.
    • Existing certs signed by the Symantec CA remain valid until expiration.
  • No impact to your business if you don’t manage code signing certs.

What’s happening?

Google Chrome distrust of Symantec SSL/TLS

  • On March 15, Google Chrome started showing warnings for sites secured by Symantec SSL/TLS certificates that were issued before June 1, 2016.
  • Your security and data are not at risk, but the Chrome warning may discourage visitors from continuing to your site.

When?

March 15, 2018

What do I need to do?

  • Immediately replace or renew Symantec, Thawte, GeoTrust, and RapidSSL certs that were issued before June 1, 2016.
  • Help expedite re-issuance of your certs – Make sure your account contacts, org contacts, and domain owners check their email – including domain email accounts like admin@example.com – and respond to org and domain validation requests.

What’s happening?

OCSP and CRL update for legacy SSL/TLS certs

  • For security and compliance best practices, we are updating the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) infrastructure for legacy Symantec TLS and code signing certificates.

When?

May 2018

What do I need to do?

  • Make sure clients inside your network can access the new OCSP and CRL resources. Browsers, devices, and other clients that can’t access the new resources may encounter warnings or errors. Check your firewall and access control policies.
  • No action needed if network access policy defines full domain names instead of IP addresses, or if there is no access policy.

What’s happening?

Code signing authentication and root hierarchy migration

  • We’re continuing to consolidate and simplify our authentication and issuance processes, now to include code signing certs.
  • We’ll also introduce a new DigiCert root hierarchy for code signing certs.

When?

Coming in 2018 (date TBD)

What do I need to do?

  • Update your development and validation environments with the new DigiCert code signing intermediate CAs and roots. Make sure you have the latest roots.
  • Otherwise no action needed:
    • New certs are automatically issued from the new DigiCert CA.
    • Existing certs signed by the Symantec CA remain valid until expiration.
  • No impact to your business if you don’t manage code signing certs.

What’s new?

Go live in April 2018!

  • Improved order status feedback for Reissue API requests - The response for Reissue requests now provides detail statuses as part of the ModificationEventName parameter of the OrderDetail object: Certificate Reissued, Reissue Cancelled.
  • Longer renewal window for legacy Symantec certificates – Renew certs that were issued before December 1, 2017 (issued from the Symantec CA hierarchy) up to 210 days (about 7 months) before expiration. This allows you to get your cert with the new DigiCert hierarchy without having to replace and renew again later.

Other updates

  • API developer documentation – The Website Security Developer Portal has moved to DigiCert at https://docs.digicert.com/api-developer-portal/. The developer portal on symantec.com will redirect to DigiCert for a limited time, so update your bookmarks soon.

What's coming up?

Scheduled for May 14, 2018 launch

  • Get 1 and 2-year certificates in the pilot environment – Previously only 7-day certs were allowed. Now you’ll be able to get standard-term certs for testing. Short-term 7 day certs will still be available.
  • Add SANs after the initial request – You’ll be able to add subject alternative names to a cert order even when the original request didn’t include SANs.
  • File validation restored for revocation requests - This was previously suspended during the transition of our services to the DigiCert root hierarchy and issuance platform.

Managed PKI

importantImportant dates and activity

What’s happening?

When?

What do I need to do?

OCSP update for legacy Symantec certs

  • For security and compliance best practices, we are updating the Online Certificate Status Protocol (OCSP) infrastructure for legacy Symantec certificates.

May 2018

  • Make sure clients inside your network can access the new OCSP and CRL resources. Browsers, devices, and other clients that can’t access the new resources may encounter warnings or errors. Check your firewall and access control policies.
  • No action needed if network access policy defines full domain names instead of IP addresses, or if there is no access policy.

Managed PKI 7.X: Automated Administration (AA) certificate renewal

  • We’re renewing and auto-replacing the AA certificate for Managed PKI 7 services. The current AA cert expires on August 6, 2018.

Before August 6, 2018 (specific date TBD)

  • Look for more details coming soon or check back here. No disruption to your services expected, but you’ll need to make sure the new AA cert is installed correctly.
  • No action needed if you don’t use Automated Admin (your cert requests are approved manually or through passcode authentication).

What’s happening?

OCSP update for legacy Symantec certs

  • For security and compliance best practices, we are updating the Online Certificate Status Protocol (OCSP) infrastructure for legacy Symantec certificates.

When?

May 2018

What do I need to do?

  • Make sure clients inside your network can access the new OCSP and CRL resources. Browsers, devices, and other clients that can’t access the new resources may encounter warnings or errors. Check your firewall and access control policies.
  • No action needed if network access policy defines full domain names instead of IP addresses, or if there is no access policy.

What’s happening?

Managed PKI 7.X: Automated Administration (AA) certificate renewal

  • We’re renewing and auto-replacing the AA certificate for Managed PKI 7 services. The current AA cert expires on August 6, 2018.

When?

Before August 6, 2018 (specific date TBD)

What do I need to do?

  • Look for more details coming soon or check back here. No disruption to your services expected, but you’ll need to make sure the new AA cert is installed correctly.
  • No action needed if you don’t use Automated Admin (your cert requests are approved manually or through passcode authentication).

What’s new?

Managed PKI 8.17.4 live on February 20!

  • Access point change for Live Update - As part of the changes due to DigiCert’s acquisition of Symantec PKI and SSL/TLS businesses, PKI Client now uses a new access point for Live Update: http://pkiclient-updater.digicert.com. No action on your part to enable the new URL, but make sure the URL isn't blocked by your network's access protections.
  • Updated Symantec Authentication Client Extension – Browsers such as Firefox are ending support for some legacy extensions. New certificate enrollment requests now happen through an updated Symantec Authentication Client Extension. Install the new client plug-in when prompted (browser restart may be required).
  • PKI Client is now compatible with FIPS initialized 5110 tokens.
  • (For GSM Association only) Support for the asterisk (*) in the common name field for some BCTs.

What’s coming up?

  • Managed PKI:
    • MPKI 7 certificate profile updates for DigiCert - As part of the Symantec PKI services move to DigiCert, we are updating certificate profiles to replace legacy verisign.com URLs with new digicert.com URLs. No action needed on your part. What’s changing?
    • System maintenance for performance and security.
    • Microsoft Intune integration for managing certificates on mobile devices.
  • CI Plus:
    • Ability to request certificates for devices with Enhanced Content Protection (ECP). The current functionality does not have an option for requesting certificates for devices with ECP.

We have updated our Privacy Policy which can be found here.