Website Security
Product Activity Log

What’s new and what we’re working on – July 4, 2018

importantUrgent action for org and domain validation
 

Remember to respond to email and phone requests to validate your orgs and domains. Pass this reminder on to your Symantec Website Security account owners, org contacts, and domain owners.

As part of the DigiCert acquisition of Symantec Website Security, we are reauthenticating your orgs and domains to confirm proper ownership. It’s inconvenient but necessary to maintain security and trust for your customers, your business, and the web. Thanks for your patience and attention to this!

Complete Website Security and Managed PKI for SSL

importantImportant dates and activity

What’s happening?

When?

What do I need to do?

OCSP and CRL update for legacy Symantec certs

  • For security and compliance best practices, we are updating the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) infrastructure for legacy Symantec TLS and code signing certificates.

May 2018

  • Make sure clients inside your network can access the new OCSP and CRL resources. Browsers, devices, and other clients that can’t access the new resources may encounter warnings or errors. Check your firewall and access control policies.
  • No action needed if network access policy defines full domain names instead of IP addresses, or if there is no access policy.

Organizational unit (OU) validation change

  • In the current verification process, the CSR OU value is checked against our blacklist during enrollment.
  • In the new verification process, the CSR OU value is checked against the whitelist of approved OU values during order processing.

July 31, 2018

Code signing and private SSL authentication and root hierarchy migration

  • We’re continuing to consolidate and simplify our authentication and issuance processes, now to include code signing and Private SSL certs.
  • We’ll also introduce a new DigiCert root hierarchy for code signing certs.

Coming in 2018 (date TBD)

  • Update your development and validation environments with the new DigiCert code signing intermediate CAs and roots. Make sure you have the latest roots.
  • Otherwise no action needed:
    • New certs are automatically issued from the new DigiCert CA.
    • Existing certs signed by the Symantec CA remain valid until expiration.
  • No impact to your business if you don’t manage code signing certs or a private CA.

What’s happening?

OCSP and CRL update for legacy Symantec certs

  • For security and compliance best practices, we are updating the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) infrastructure for legacy Symantec TLS and code signing certificates.

When?

May 2018

What do I need to do?

  • Make sure clients inside your network can access the new OCSP and CRL resources. Browsers, devices, and other clients that can’t access the new resources may encounter warnings or errors. Check your firewall and access control policies.
  • No action needed if network access policy defines full domain names instead of IP addresses, or if there is no access policy.

What’s happening?

Organizational unit (OU) validation change

  • In the current verification process, the CSR OU value is checked against our blacklist during enrollment.
  • In the new verification process, the CSR OU value is checked against the whitelist of approved OU values during order processing.

When?

July 31, 2018

What do I need to do?

What’s happening?

Code signing and private SSL authentication and root hierarchy migration

  • We’re continuing to consolidate and simplify our authentication and issuance processes, now to include code signing and Private SSL certs.
  • We’ll also introduce a new DigiCert root hierarchy for code signing certs.

When?

Coming in 2018 (date TBD)

What do I need to do?

  • Update your development and validation environments with the new DigiCert code signing intermediate CAs and roots. Make sure you have the latest roots.
  • Otherwise no action needed:
    • New certs are automatically issued from the new DigiCert CA.
    • Existing certs signed by the Symantec CA remain valid until expiration.
  • No impact to your business if you don’t manage code signing certs or a private CA.

What’s new?

Complete Website Security 4.6 and Managed PKI for SSL (released May 31, 2018)

  • Update certificate custom fields – In the CWS console, keep additional cert info up-to-date after initial enrollment. Under Additional information in the detailed cert view, edit any custom field. Already available in Managed PKI for SSL.
  • Identify vulnerabilities per page scanned – Vulnerability assessment report include specific points of weakness per page, instead of only a summary of vulnerabilities found on the website. The report also includes step-by-step attack proof-of-concept and recommended solutions for discovered vulnerabilities.
  • Minimize network traffic from vulnerability and malware scans – Vulnerability assessment runs a complete scan once a month. Malware services checks your domain against a trusted blacklist of malicious websites, instead of scanning your domain every day.
  • CWS console help – The CWS help portal has moved to https://docs.digicert.com/cws/ and console links direct to the new portal. Visit the help portal for getting started, tutorials, general console usage, and support contact info.

Other updates

  • General Data Protection Regulation (GDPR) and your certificates – The European Union’s General Data Protection Regulation (GDPR), in effect as of May 25, 2018, introduces policies that may prevent us from getting the proper domain contact email from your registrars. Your domain contact is a primary method to prove domain ownership for certificate requests and domain approvals. To learn more and make sure you continue to get your certificates promptly, visit our Note on WHOIS, GDPR and Domain Validation. GDPR has no impact on valid certificates and domains.
  • EV green address bar for SHA-256 full chain certs restored in Chrome 66 – Latest stable release of Google Chrome fixes a bug that prevented the green address bar from displaying on sites with Extended Validation (EV) certs signed with SHA-256 full chain (SHA-256 signing on certificate, intermediate(s), and root).
  • Complete Website Security - Sensor installation and certificate discovery support for Red Hat Enterprise Linux 7.4 and Microsoft Windows Server 2016.
  • Complete Website Security – Agent installation and certificate automation support for Red Hat Enterprise Linux 7.4.
  • API developer documentation – The Website Security Developer Portal has moved to DigiCert at https://docs.digicert.com/api-developer-portal/. The developer portal on symantec.com will redirect to DigiCert for a limited time, so update your bookmarks soon.

What’s coming up?

  • No info at this time. Check back soon.

Secure App Service

importantImportant dates and activity

What’s happening?

When?

What do I need to do?

OCSP and CRL update for legacy Symantec certs

  • For security and compliance best practices, we are updating the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) infrastructure for legacy Symantec TLS and code signing certificates.

May 2018

  • Make sure clients inside your network can access the new OCSP and CRL resources. Browsers, devices, and other clients that can’t access the new resources may encounter warnings or errors. Check your firewall and access control policies.
  • No action needed if network access policy defines full domain names instead of IP addresses, or if there is no access policy.

Code signing and authentication and root hierarchy migration

  • We’re continuing to consolidate and simplify our authentication and issuance processes, now to include code signing certs.
  • We’ll also introduce a new DigiCert root hierarchy for code signing certs.

Coming in 2018 (date TBD)

  • Update your development and validation environments with the new DigiCert code signing intermediate CAs and roots. Make sure you have the latest roots.
  • Check for email and phone requests from DigiCert for additional organization info. Prompt response ensures continued service.
  • Otherwise no action needed:
    • New certs are automatically issued from the new DigiCert CA.
    • Existing certs signed by the Symantec CA remain valid until expiration.

End-of-life for GeoCenter Android code signing

  • To streamline our authentication and issuance platforms with DigiCert's processes and trust hierarchies, and to remove dependencies on legacy Symantec systems, we are discontinuing Android code signing available through the GeoCenter portal and CSPub APIs.

August 1, 2018

What’s happening?

OCSP and CRL update for legacy Symantec certs

  • For security and compliance best practices, we are updating the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) infrastructure for legacy Symantec TLS and code signing certificates.

When?

May 2018

What do I need to do?

  • Make sure clients inside your network can access the new OCSP and CRL resources. Browsers, devices, and other clients that can’t access the new resources may encounter warnings or errors. Check your firewall and access control policies.
  • No action needed if network access policy defines full domain names instead of IP addresses, or if there is no access policy.

What’s happening?

Code signing and authentication and root hierarchy migration

  • We’re continuing to consolidate and simplify our authentication and issuance processes, now to include code signing certs.
  • We’ll also introduce a new DigiCert root hierarchy for code signing certs.

When?

Coming in 2018 (date TBD)

What do I need to do?

  • Update your development and validation environments with the new DigiCert code signing intermediate CAs and roots. Make sure you have the latest roots.
  • Check for email and phone requests from DigiCert for additional organization info. Prompt response ensures continued service.
  • Otherwise no action needed:
    • New certs are automatically issued from the new DigiCert CA.
    • Existing certs signed by the Symantec CA remain valid until expiration.

What’s happening?

End-of-life for GeoCenter Android code signing

  • To streamline our authentication and issuance platforms with DigiCert's processes and trust hierarchies, and to remove dependencies on legacy Symantec systems, we are discontinuing Android code signing available through the GeoCenter portal and CSPub APIs.

When?

August 1, 2018

What do I need to do?

What’s new?

Secure App Service live on May 30!

  • The CSP tool for Windows Hash Signing now supports Windows 10 computers that use Windows SDK 10.

Other updates

  • API developer documentation – The Website Security Developer Portal has moved to DigiCert at https://docs.digicert.com/api-developer-portal/. The developer portal on symantec.com will redirect to DigiCert for a limited time, so update your bookmarks soon.

What’s coming up?

  • No info at this time. Check back soon.

Partners and Resellers

importantImportant dates and activity

What’s happening?

When?

What do I need to do?

Google Chrome distrust of Symantec SSL/TLS

  • On March 15, Google Chrome started showing warnings for sites secured by Symantec SSL/TLS certificates that were issued before June 1, 2016.
  • Your security and data are not at risk, but the Chrome warning may discourage visitors from continuing to your site.

March 15, 2018

  • Immediately replace or renew Symantec, Thawte, GeoTrust, and RapidSSL certs that were issued before June 1, 2016.
  • Help expedite re-issuance of your certs – Make sure your account contacts, org contacts, and domain owners check their email – including domain email accounts like admin@example.com – and respond to org and domain validation requests.

OCSP and CRL update for legacy Symantec certs

  • For security and compliance best practices, we are updating the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) infrastructure for legacy Symantec TLS and code signing certificates.

May 2018

  • Make sure clients inside your network can access the new OCSP and CRL resources. Browsers, devices, and other clients that can’t access the new resources may encounter warnings or errors. Check your firewall and access control policies.
  • No action needed if network access policy defines full domain names instead of IP addresses, or if there is no access policy.

Code signing authentication and root hierarchy migration

  • We’re continuing to consolidate and simplify our authentication and issuance processes, now to include code signing certs.
  • We’ll also introduce a new DigiCert root hierarchy for code signing certs.

Coming in 2018 (date TBD)

  • Update your development and validation environments with the new DigiCert code signing intermediate CAs and roots. Make sure you have the latest roots.
  • Otherwise no action needed:
    • New certs are automatically issued from the new DigiCert CA.
    • Existing certs signed by the Symantec CA remain valid until expiration.
  • No impact to your business if you don’t manage code signing certs.

What’s happening?

Google Chrome distrust of Symantec SSL/TLS

  • On March 15, Google Chrome started showing warnings for sites secured by Symantec SSL/TLS certificates that were issued before June 1, 2016.
  • Your security and data are not at risk, but the Chrome warning may discourage visitors from continuing to your site.

When?

March 15, 2018

What do I need to do?

  • Immediately replace or renew Symantec, Thawte, GeoTrust, and RapidSSL certs that were issued before June 1, 2016.
  • Help expedite re-issuance of your certs – Make sure your account contacts, org contacts, and domain owners check their email – including domain email accounts like admin@example.com – and respond to org and domain validation requests.

What’s happening?

OCSP and CRL update for legacy SSL/TLS certs

  • For security and compliance best practices, we are updating the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) infrastructure for legacy Symantec TLS and code signing certificates.

When?

May 2018

What do I need to do?

  • Make sure clients inside your network can access the new OCSP and CRL resources. Browsers, devices, and other clients that can’t access the new resources may encounter warnings or errors. Check your firewall and access control policies.
  • No action needed if network access policy defines full domain names instead of IP addresses, or if there is no access policy.

What’s happening?

Code signing authentication and root hierarchy migration

  • We’re continuing to consolidate and simplify our authentication and issuance processes, now to include code signing certs.
  • We’ll also introduce a new DigiCert root hierarchy for code signing certs.

When?

Coming in 2018 (date TBD)

What do I need to do?

  • Update your development and validation environments with the new DigiCert code signing intermediate CAs and roots. Make sure you have the latest roots.
  • Otherwise no action needed:
    • New certs are automatically issued from the new DigiCert CA.
    • Existing certs signed by the Symantec CA remain valid until expiration.
  • No impact to your business if you don’t manage code signing certs.

What’s new?

Go live in May 2018!

  • Bonaire (BQ) and Curaçao (CW) are now valid country codes, and if you are a natural and legal resident of either you can now order our certificates.
  • You can use shared key-based file authentication for their enterprises now. To activate this feature, contact support.
  • Get 1 and 2-year certificates in the pilot environment – Previously only 7-day certs were allowed. Now you can get standard-term certs for testing. Short-term 7-day certs are still available.
  • Add SANs after the initial request – Add subject alternative names to a cert order even when the original request didn’t include SANs.

Other updates

  • General Data Protection Regulation (GDPR) and your certificates – The European Union’s General Data Protection Regulation (GDPR), in effect as of May 25, 2018, introduces policies that may prevent us from getting the proper domain contact email from your registrars. Your domain contact is a primary method to prove domain ownership for certificate requests and domain approvals. To learn more and make sure you continue to get your certificates promptly, visit our Note on WHOIS, GDPR and Domain Validation. GDPR has no impact on valid certificates and domains.
  • API developer documentation – The Website Security Developer Portal has moved to DigiCert at https://docs.digicert.com/api-developer-portal/. The developer portal on symantec.com will redirect to DigiCert for a limited time, so update your bookmarks soon.
  • symantec.com email address migration – Our email services continue to migrate from symantec.com addresses to digicert.com addresses. Let your customers know so they’re not confused by updates and alerts from digicert.com. Also make sure your own mail services receive and deliver email from digicert.com.
  • Cert requests with the country code AN (Netherland Antilles) no longer accepted – Make sure your APIs and other processes are updated.

What's coming up?

Tentative soon

  • File validation restored for revocation requests - This was previously suspended during the transition of our services to the DigiCert root hierarchy and issuance platform.

Other updates coming soon

  • DV cert early bird access – Starting July 11, domain validated (DV) certs will be available on a limited basis through DigiCert CertCentral. CertCentral is the certificate request and management console that will eventually replace your current partner portal. Reach out to your account manager if you are interested in joining the early bird program.
  • End-of-life for the POST API – On August 16, we’re decommissioning the older POST API platform. Make sure you migrate to the SOAP APIs if you have any services still running through the POST API.

Managed PKI

importantImportant dates and activity

What’s happening?

When?

What do I need to do?

OCSP update for legacy Symantec certs

  • For security and compliance best practices, we are updating the Online Certificate Status Protocol (OCSP) infrastructure for legacy Symantec certificates.

May 2018

  • Make sure clients inside your network can access the new OCSP and CRL resources. Browsers, devices, and other clients that can’t access the new resources may encounter warnings or errors. Check your firewall and access control policies.
  • No action needed if network access policy defines full domain names instead of IP addresses, or if there is no access policy.

Managed PKI 7.X: Automated Administration (AA) certificate renewal

  • We’re renewing and auto-replacing the AA certificate for Managed PKI 7 services. The current AA cert expires on August 6, 2018.

Before August 6, 2018 (specific date TBD)

  • Look for more details coming soon or check back here. No disruption to your services expected, but you’ll need to make sure the new AA cert is installed correctly.
  • No action needed if you don’t use Automated Admin (your cert requests are approved manually or through passcode authentication).

Transition to DigiCert TLS hierarchy for Managed PKI 7 and 8

  • As part of the DigiCert acquisition, we are transitioning Symantec root CAs to DigiCert and ending support for legacy verisign.com services.

Now through end of 2018

  • Check your inbox for the June 19 service announcement. This communication provides further details, including critical dates, test resources, and additional support references.
  • Make sure you have the latest DigiCert root hierarchy in your Managed PKI environment. Recommended for compliance best practices and uninterrupted service.
  • Replace verisign.com services in your Managed PKI environment with correct symauth.com URLs. Services on verisign.com will be discontinued at the end of 2018.
  • For more information:

What’s happening?

OCSP update for legacy Symantec certs

  • For security and compliance best practices, we are updating the Online Certificate Status Protocol (OCSP) infrastructure for legacy Symantec certificates.

When?

May 2018

What do I need to do?

  • Make sure clients inside your network can access the new OCSP and CRL resources. Browsers, devices, and other clients that can’t access the new resources may encounter warnings or errors. Check your firewall and access control policies.
  • No action needed if network access policy defines full domain names instead of IP addresses, or if there is no access policy.

What’s happening?

Managed PKI 7.X: Automated Administration (AA) certificate renewal

  • We’re renewing and auto-replacing the AA certificate for Managed PKI 7 services. The current AA cert expires on August 6, 2018.

When?

Before August 6, 2018 (specific date TBD)

What do I need to do?

  • Look for more details coming soon or check back here. No disruption to your services expected, but you’ll need to make sure the new AA cert is installed correctly.
  • No action needed if you don’t use Automated Admin (your cert requests are approved manually or through passcode authentication).

What’s happening?

Transition to DigiCert TLS hierarchy for Managed PKI 7 and 8

  • As part of the DigiCert acquisition, we are transitioning Symantec root CAs to DigiCert and ending support for legacy verisign.com services.

When?

Now through end of 2018

What do I need to do?

  • Check your inbox for the June 19 service announcement. This communication provides further details, including critical dates, test resources, and additional support references.
  • Make sure you have the latest DigiCert root hierarchy in your Managed PKI environment. Recommended for compliance best practices and uninterrupted service.
  • Replace verisign.com services in your Managed PKI environment with correct symauth.com URLs. Services on verisign.com will be discontinued at the end of 2018.
  • For more information:

What’s new?

Managed PKI 8.17.4 live on February 20!

  • Access point change for Live Update - As part of the changes due to DigiCert’s acquisition of Symantec PKI and SSL/TLS businesses, PKI Client now uses a new access point for Live Update: http://pkiclient-updater.digicert.com. No action on your part to enable the new URL, but make sure the URL isn't blocked by your network's access protections.
  • Updated Symantec Authentication Client Extension – Browsers such as Firefox are ending support for some legacy extensions. New certificate enrollment requests now happen through an updated Symantec Authentication Client Extension. Install the new client plug-in when prompted (browser restart may be required).
  • PKI Client is now compatible with FIPS initialized 5110 tokens.
  • (For GSM Association only) Support for the asterisk (*) in the common name field for some BCTs.

What’s coming up?

  • Managed PKI:
    • MPKI 7 certificate profile updates for DigiCert - As part of the Symantec PKI services move to DigiCert, we are updating certificate profiles to replace legacy verisign.com URLs with new digicert.com URLs. No action needed on your part. What’s changing?
    • System maintenance for performance and security.
    • Microsoft Intune integration for managing certificates on mobile devices.
  • CI Plus:
    • Ability to request certificates for devices with Enhanced Content Protection (ECP). The current functionality does not have an option for requesting certificates for devices with ECP.

We have updated our Privacy Policy which can be found here.