Website Security
Product Activity Log

What’s new and what we’re working on – September 12, 2018

Complete Website Security and Managed PKI for SSL

importantImportant dates and activity

What’s happening?

When?

What do I need to do?

OCSP and CRL update for legacy Symantec certs

  • For security and compliance best practices, we are updating the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) infrastructure for legacy Symantec TLS and code signing certificates.

May 2018

  • Make sure clients inside your network can access the new OCSP and CRL resources. Browsers, devices, and other clients that can’t access the new resources may encounter warnings or errors. Check your firewall and access control policies.
  • No action needed if network access policy defines full domain names instead of IP addresses, or if there is no access policy.

Organizational unit (OU) validation change

  • In the current verification process, the CSR OU value is checked against our blacklist during enrollment.
  • In the new verification process, the CSR OU value is checked against the whitelist of approved OU values during order processing.

July 31, 2018

Address change in certificate lifecycle emails

  • DigiCert updated the sender (or "From") address in all certificate lifecycle notifications to noreply@digicert.com. This change affects confirmation, approval, rejection, renewal, and revocation emails.

August 9, 2018

  • Check your inbox for the service announcement around August 1. Check the announcement for details including critical dates and additional support references.

Code signing and private SSL authentication and root hierarchy migration

  • We’re continuing to consolidate and simplify our authentication and issuance processes, now to include code signing and Private SSL certs.
  • We’ll also introduce a new DigiCert root hierarchy for code signing certs.

October 2018

  • Update your development and validation environments with the new DigiCert code signing intermediate CAs and roots. Make sure you have the latest roots.
  • Otherwise no action needed:
    • New certs are automatically issued from the new DigiCert CA.
    • Existing certs signed by the Symantec CA remain valid until expiration.
  • No impact to your business if you don’t manage code signing certs or a private CA.

What’s happening?

OCSP and CRL update for legacy Symantec certs

  • For security and compliance best practices, we are updating the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) infrastructure for legacy Symantec TLS and code signing certificates.

When?

May 2018

What do I need to do?

  • Make sure clients inside your network can access the new OCSP and CRL resources. Browsers, devices, and other clients that can’t access the new resources may encounter warnings or errors. Check your firewall and access control policies.
  • No action needed if network access policy defines full domain names instead of IP addresses, or if there is no access policy.

What’s happening?

Organizational unit (OU) validation change

  • In the current verification process, the CSR OU value is checked against our blacklist during enrollment.
  • In the new verification process, the CSR OU value is checked against the whitelist of approved OU values during order processing.

When?

July 31, 2018

What do I need to do?

What’s happening?

Address change in certificate lifecycle emails

  • DigiCert updated the sender (or "From") address in all certificate lifecycle notifications to noreply@digicert.com. This change affects confirmation, approval, rejection, renewal, and revocation emails.

When?

August 9, 2018

What do I need to do?

  • Check your inbox for the service announcement around August 1. Check the announcement for details including critical dates and additional support references.

What’s happening?

Code signing and private SSL authentication and root hierarchy migration

  • We’re continuing to consolidate and simplify our authentication and issuance processes, now to include code signing and Private SSL certs.
  • We’ll also introduce a new DigiCert root hierarchy for code signing certs.

When?

October 2018

What do I need to do?

  • Update your development and validation environments with the new DigiCert code signing intermediate CAs and roots. Make sure you have the latest roots.
  • Otherwise no action needed:
    • New certs are automatically issued from the new DigiCert CA.
    • Existing certs signed by the Symantec CA remain valid until expiration.
  • No impact to your business if you don’t manage code signing certs or a private CA.

What’s new?

Live on July 31, 2018!

  • Replace distrusted certificates in bulk - For accounts that have more than a few certificates at risk of browser distrust, admins can quickly replace multiple certificates in batches. Applies to Managed PKI for SSL only.
  • New organizational unit validation - DigiCert implemented a new organizational unit (OU) verification process for checking the OU included in your certificate requests. See "Important dates and activities" above.

Complete Website Security 4.6 and Managed PKI for SSL (released May 31, 2018)

  • Update certificate custom fields – In the CWS console, keep additional cert info up-to-date after initial enrollment. Under Additional information in the detailed cert view, edit any custom field. Already available in Managed PKI for SSL.
  • Identify vulnerabilities per page scanned – Vulnerability assessment report includes specific points of weakness per page, instead of only a summary of vulnerabilities found on the website. The report also includes step-by-step attack proof-of-concept and recommended solutions for discovered vulnerabilities.
  • Minimize network traffic from vulnerability and malware scans – Vulnerability assessment runs a complete scan once a month. Malware services checks your domain against a trusted blacklist of malicious websites, instead of scanning your domain every day.
  • CWS console help – The CWS help portal has moved to https://docs.digicert.com/cws/ and console links direct to the new portal. Visit the help portal for getting started, tutorials, general console usage, and support contact info.

Other updates

  • General Data Protection Regulation (GDPR) and your certificates – The European Union’s General Data Protection Regulation (GDPR), in effect as of May 25, 2018, introduces policies that may prevent us from getting the proper domain contact email from your registrars. Your domain contact is a primary method to prove domain ownership for certificate requests and domain approvals. To learn more and make sure you continue to get your certificates promptly, visit our Note on WHOIS, GDPR and Domain Validation. GDPR has no impact on valid certificates and domains.
  • EV green address bar for SHA-256 full chain certs restored in Chrome 66 – Latest stable release of Google Chrome fixes a bug that prevented the green address bar from displaying on sites with Extended Validation (EV) certs signed with SHA-256 full chain (SHA-256 signing on certificate, intermediate(s), and root).
  • Complete Website Security - Sensor installation and certificate discovery support for Red Hat Enterprise Linux 7.4 and Microsoft Windows Server 2016.
  • Complete Website Security – Agent installation and certificate automation support for Red Hat Enterprise Linux 7.4.
  • API developer documentation – The Website Security Developer Portal has moved to DigiCert at https://docs.digicert.com/api-developer-portal/. The developer portal on symantec.com will redirect to DigiCert for a limited time, so update your bookmarks soon.

What’s coming up?

Coming in October

  • Organization and domain consolidation – As we complete our transition into DigiCert, we’re consolidating organization and domain authentication processes for all certificate types, which will simplify organization and domain statuses in your consoles.
  • Language support for DCV emails – When you resend DCV (Domain Control Validation) emails to confirm proper domain ownership, you’ll be able to select the appropriate language for the domain owners.

Secure App Service

importantImportant dates and activity

What’s happening?

When?

What do I need to do?

OCSP and CRL update for legacy Symantec certs

  • For security and compliance best practices, we are updating the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) infrastructure for legacy Symantec TLS and code signing certificates.

May 2018

  • Make sure clients inside your network can access the new OCSP and CRL resources. Browsers, devices, and other clients that can’t access the new resources may encounter warnings or errors. Check your firewall and access control policies.
  • No action needed if network access policy defines full domain names instead of IP addresses, or if there is no access policy.

End-of-life for GeoCenter Android code signing

  • To streamline our authentication and issuance platforms with DigiCert's processes and trust hierarchies, and to remove dependencies on legacy Symantec systems, we are discontinuing Android code signing available through the GeoCenter portal and CSPub APIs.

August 1, 2018

Code signing and authentication and root hierarchy migration

  • We’re continuing to consolidate and simplify our authentication and issuance processes, now to include code signing certs.
  • We’ll also introduce a new DigiCert root hierarchy for code signing certs.

October 2018

  • Update your development and validation environments with the new DigiCert code signing intermediate CAs and roots. Make sure you have the latest roots.
  • Check for email and phone requests from DigiCert for additional organization info. Prompt response ensures continued service.
  • Otherwise no action needed:
    • New certs are automatically issued from the new DigiCert CA.
    • Existing certs signed by the Symantec CA remain valid until expiration.

What’s happening?

OCSP and CRL update for legacy Symantec certs

  • For security and compliance best practices, we are updating the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) infrastructure for legacy Symantec TLS and code signing certificates.

When?

May 2018

What do I need to do?

  • Make sure clients inside your network can access the new OCSP and CRL resources. Browsers, devices, and other clients that can’t access the new resources may encounter warnings or errors. Check your firewall and access control policies.
  • No action needed if network access policy defines full domain names instead of IP addresses, or if there is no access policy.

What’s happening?

End-of-life for GeoCenter Android code signing

  • To streamline our authentication and issuance platforms with DigiCert's processes and trust hierarchies, and to remove dependencies on legacy Symantec systems, we are discontinuing Android code signing available through the GeoCenter portal and CSPub APIs.

When?

August 1, 2018

What do I need to do?

What’s happening?

Code signing and authentication and root hierarchy migration

  • We’re continuing to consolidate and simplify our authentication and issuance processes, now to include code signing certs.
  • We’ll also introduce a new DigiCert root hierarchy for code signing certs.

When?

October 2018

What do I need to do?

  • Update your development and validation environments with the new DigiCert code signing intermediate CAs and roots. Make sure you have the latest roots.
  • Check for email and phone requests from DigiCert for additional organization info. Prompt response ensures continued service.
  • Otherwise no action needed:
    • New certs are automatically issued from the new DigiCert CA.
    • Existing certs signed by the Symantec CA remain valid until expiration.

What’s new?

Live on August 2!

  • Securely sign autonomous build applications in Apache Ant or Gradle. Integrate SAS with Ant or Gradle continuous integration tools to sign applications using the Secure App Services Java CSP.
  • Integration and workflow testing in your production account – Set up and run all activities in your regular production account, instead of creating and managing a separate pilot account.

Live on July 19!

  • Securely sign Android apps with hash signing – Use the Secure App Services Java CSP hash signing service to sign large Android apps faster.
  • Securely sign autonomous build applications for Apache Maven – Integrate SAS with Apache Maven to sign applications from autonomous builds using the Secure App Services Java CSP. For API integration details, go to Website Security Developer Portal.

Other updates

  • API developer documentation – The Website Security Developer Portal has moved to DigiCert at https://docs.digicert.com/api-developer-portal/. The developer portal on symantec.com will redirect to DigiCert for a limited time, so update your bookmarks soon.

What’s coming up?

  • No info at this time. Check back soon.

Partners and Resellers

importantImportant dates and activity

What’s happening?

When?

What do I need to do?

Google Chrome distrust of Symantec SSL/TLS

  • On March 15, Google Chrome started showing warnings for sites secured by Symantec SSL/TLS certificates that were issued before June 1, 2016.
  • Your security and data are not at risk, but the Chrome warning may discourage visitors from continuing to your site.

March 15, 2018

  • Immediately replace or renew Symantec, Thawte, GeoTrust, and RapidSSL certs that were issued before June 1, 2016.
  • Help expedite re-issuance of your certs – Make sure your account contacts, org contacts, and domain owners check their email – including domain email accounts like admin@example.com – and respond to org and domain validation requests.

OCSP and CRL update for legacy Symantec certs

  • For security and compliance best practices, we are updating the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) infrastructure for legacy Symantec TLS and code signing certificates.

May 2018

  • Make sure clients inside your network can access the new OCSP and CRL resources. Browsers, devices, and other clients that can’t access the new resources may encounter warnings or errors. Check your firewall and access control policies.
  • No action needed if network access policy defines full domain names instead of IP addresses, or if there is no access policy.

Address change in certificate lifecycle emails

  • DigiCert updated the sender (or "From") address in validation-related notifications to @digicert.com addresses.

August 9, 2018

  • Check your inbox for the service announcement around August 1. Check the announcement for details including critical dates and additional support references.

Code signing authentication and root hierarchy migration

  • We’re continuing to consolidate and simplify our authentication and issuance processes, now to include code signing certs.
  • We’ll also introduce a new DigiCert root hierarchy for code signing certs.

October 2018

  • Update your development and validation environments with the new DigiCert code signing intermediate CAs and roots. Make sure you have the latest roots for Symantec code signing certificates and Thawte code signing certificates.
  • Otherwise no action needed:
    • New certs are automatically issued from the new DigiCert CA.
    • Existing certs signed by the Symantec CA remain valid until expiration.
  • No impact to your business if you don’t manage code signing certs.

What’s happening?

Google Chrome distrust of Symantec SSL/TLS

  • On March 15, Google Chrome started showing warnings for sites secured by Symantec SSL/TLS certificates that were issued before June 1, 2016.
  • Your security and data are not at risk, but the Chrome warning may discourage visitors from continuing to your site.

When?

March 15, 2018

What do I need to do?

  • Immediately replace or renew Symantec, Thawte, GeoTrust, and RapidSSL certs that were issued before June 1, 2016.
  • Help expedite re-issuance of your certs – Make sure your account contacts, org contacts, and domain owners check their email – including domain email accounts like admin@example.com – and respond to org and domain validation requests.

What’s happening?

OCSP and CRL update for legacy Symantec certs

  • For security and compliance best practices, we are updating the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) infrastructure for legacy Symantec TLS and code signing certificates.

When?

May 2018

What do I need to do?

  • Make sure clients inside your network can access the new OCSP and CRL resources. Browsers, devices, and other clients that can’t access the new resources may encounter warnings or errors. Check your firewall and access control policies.
  • No action needed if network access policy defines full domain names instead of IP addresses, or if there is no access policy.

What’s happening?

Address change in certificate lifecycle emails

  • DigiCert updated the sender (or "From") address in validation-related notifications to @digicert.com addresses.

When?

August 9, 2018

What do I need to do?

  • Check your inbox for the service announcement around August 1. Browsers, devices, and other clients that can’t access the new resources may encounter warnings or errors. Check the announcement for details including critical dates and additional support references.

What’s happening?

Code signing authentication and root hierarchy migration

  • We’re continuing to consolidate and simplify our authentication and issuance processes, now to include code signing certs.
  • We’ll also introduce a new DigiCert root hierarchy for code signing certs.

When?

October 2018

What do I need to do?

  • Update your development and validation environments with the new DigiCert code signing intermediate CAs and roots. Make sure you have the latest roots for Symantec code signing certificates and Thawte code signing certificates.
  • Otherwise no action needed:
    • New certs are automatically issued from the new DigiCert CA.
    • Existing certs signed by the Symantec CA remain valid until expiration.
  • No impact to your business if you don’t manage code signing certs.

What’s new?

Go live in May 2018!

  • Bonaire (BQ) and Curaçao (CW) are now valid country codes, and if you are a natural and legal resident of either you can now order our certificates.
  • You can use shared key-based file authentication for their enterprises now. To activate this feature, contact support.
  • Get 1 and 2-year certificates in the pilot environment – Previously only 7-day certs were allowed. Now you can get standard-term certs for testing. Short-term 7-day certs are still available.
  • Add SANs after the initial request – Add subject alternative names to a cert order even when the original request didn’t include SANs.

Other updates

  • General Data Protection Regulation (GDPR) and your certificates – The European Union’s General Data Protection Regulation (GDPR), in effect as of May 25, 2018, introduces policies that may prevent us from getting the proper domain contact email from your registrars. Your domain contact is a primary method to prove domain ownership for certificate requests and domain approvals. To learn more and make sure you continue to get your certificates promptly, visit our Note on WHOIS, GDPR and Domain Validation. GDPR has no impact on valid certificates and domains.
  • API developer documentation – The Website Security Developer Portal has moved to DigiCert at https://docs.digicert.com/api-developer-portal/. The developer portal on symantec.com will redirect to DigiCert for a limited time, so update your bookmarks soon.
  • symantec.com email address migration – Our email services continue to migrate from symantec.com addresses to digicert.com addresses. Let your customers know so they’re not confused by updates and alerts from digicert.com. Also make sure your own mail services receive and deliver email from digicert.com.
  • Cert requests with the country code AN (Netherland Antilles) no longer accepted – Make sure your APIs and other processes are updated.

What's coming up?

Tentative soon

  • File validation restored for revocation requests - This was previously suspended during the transition of our services to the DigiCert root hierarchy and issuance platform.

Other updates coming soon

  • DV cert early bird access – Starting July 11, domain validated (DV) certs will be available on a limited basis through DigiCert CertCentral. CertCentral is the certificate request and management console that will eventually replace your current partner portal. Reach out to your account manager if you are interested in joining the early bird program.
  • End-of-life for the POST API – On August 16, we’re decommissioning the older POST API platform. Make sure you migrate to the SOAP APIs if you have any services still running through the POST API.
  • New partner console and API coming in October - We're getting closer to launching a new account/certificate management portal and API, based on our DigiCert CertCentral platform. An open beta test period is targeted to start in October, featuring full production capabilities. If you want to get an early start now, contact your account manager for a demo.
  • End-of-life for Encryption Everywhere pilot platform – Shut down is scheduled for October 26. If you need a testing platform, set up a separate standard production account.

Managed PKI

importantImportant dates and activity

What’s happening?

When?

What do I need to do?

Managed PKI 7.X: Automated Administration (AA) certificate renewal

  • We’re renewing and auto-replacing the AA certificate for Managed PKI 7 services. The current AA cert expires on August 17, 2018.

Starting August 7, 2018

  • Check your inbox for the July 23 service announcement. No disruption to your services expected, but you’ll need to make sure the new AA cert is installed correctly.
  • No action needed if you don’t use Automated Admin (your cert requests are approved manually or through passcode authentication).

Address change in certificate lifecycle emails

  • DigiCert updated the sender (or "From") address in renewal notifications to noreply@digicert.com.

August 13, 2018

  • Check your inbox for the service announcement around August 1. Check the announcement for details including critical dates, test resources, and additional support references.
  • Customized notifications are also altered. Check the announcement for instructions to re-configure your notifications.

Transition to DigiCert TLS hierarchy for Managed PKI 7 and 8

  • As part of the DigiCert acquisition, we are transitioning Symantec root CAs to DigiCert and ending support for legacy verisign.com services.

Now through end of 2018

  • Check your inbox for the June 19 service announcement. This communication provides further details, including critical dates, test resources, and additional support references.
  • Make sure you have the latest DigiCert root hierarchy in your Managed PKI environment. Recommended for compliance best practices and uninterrupted service.
  • Replace verisign.com services in your Managed PKI environment with correct symauth.com URLs. Services on verisign.com will be discontinued at the end of 2018.
  • For more information:

What’s happening?

Managed PKI 7.X: Automated Administration (AA) certificate renewal

  • We’re renewing and auto-replacing the AA certificate for Managed PKI 7 services. The current AA cert expires on August 17, 2018.

When?

Starting August 7, 2018

What do I need to do?

  • Check your inbox for the July 23 service announcement. No disruption to your services expected, but you’ll need to make sure the new AA cert is installed correctly.
  • No action needed if you don’t use Automated Admin (your cert requests are approved manually or through passcode authentication).

What’s happening?

Address change in certificate lifecycle emails

  • DigiCert updated the sender (or "From") address in renewal notifications to noreply@digicert.com.

When?

August 13, 2018

What do I need to do?

  • Check your inbox for the service announcement around August 1. Check the announcement for details including critical dates, test resources, and additional support references.
  • Customized notifications are also altered. Check the announcement for instructions to re-configure your notifications.

What’s happening?

Transition to DigiCert TLS hierarchy for Managed PKI 7 and 8

  • As part of the DigiCert acquisition, we are transitioning Symantec root CAs to DigiCert and ending support for legacy verisign.com services.

When?

Now through end of 2018

What do I need to do?

  • Check your inbox for the June 19 service announcement. This communication provides further details, including critical dates, test resources, and additional support references.
  • Make sure you have the latest DigiCert root hierarchy in your Managed PKI environment. Recommended for compliance best practices and uninterrupted service.
  • Replace verisign.com services in your Managed PKI environment with correct symauth.com URLs. Services on verisign.com will be discontinued at the end of 2018.
  • For more information:

What’s new?

June 19

  • MPKI 7 certificate profile updates for DigiCert - As part of the Symantec PKI services move to DigiCert, we updated certificate profiles to replace legacy verisign.com URLs with new digicert.com URLs. No action needed on your part. What’s changing?

Other updates

  • Managed PKI:
    • Microsoft Intune integration for managing certificates on mobile devices. Contact your account manager or customer support for more information.
  • CI Plus:
    • Ability to request certificates for devices with Enhanced Content Protection (ECP).

What’s coming up?

  • No info at this time. Check back soon.

We have updated our Privacy Policy which can be found here.