Migrate from Symantec certificates
Applies for managed Chrome Browsers and devices running Chrome OS.
Symantec® certificates issued before December 2017 are being phased out of support starting with Chrome version 66 (applies to Chrome Browser and Chrome OS). In Chrome version 70 and later, Chrome Browser and Chrome OS will stop supporting Symantec certificates. All certificates issued under Symantec brands such as GeoTrust®, Equifax®, Thawte®, RapidSSL®, and VeriSign®, and those from Symantec resellers are impacted by this change.
Which certificates are blocked depends on the Chrome version and the date the certificates were created.
|Chrome version||Default behavior (block)|
|Chrome 66 to Chrome 69||Distrust Symantec-issued certificates issued after 2017/12/01 and before 2016/06/01, but allow all certificates issued between these dates.|
|Chrome 70 to Chrome 73||Distrust all Symantec-issued certificates.|
Plan your migration
Assess your deployment to determine the best solution for your enterprise. Click below for steps, depending on how and where you use certificates.My enterprise uses Symantec certificates
Some legacy devices, such as point-of-sale terminals, phone systems, or other forms of integrated hardware, are only capable of trusting Symantec certificates. If this applies to you, contact the device suppliers and ask them to support other Certificate Authorities.
If your devices can’t be updated immediately, and they use the same web servers as your Chrome users, you can enable temporary support for Symantec certificates until you replace or upgrade your devices. If this applies to you, contact the DigiCert representative assigned to your Symantec account to develop a plan to transition to a new Certificate Authority.
If your enterprise depends on a partner site that uses Symantec certificates, contact the webmaster to find out their schedule for replacing the certificates. These sites should transition their certificates immediately, to avoid any disruption to your enterprise
If your partner can’t update their site immediately, consider enabling temporary support for Symantec certificates, until the site is updated.
Enable temporary support for Symantec certificates
To give you more time to transition from Symantec certificates, you can set a user policy to temporarily support legacy Symantec certificates. This policy will work until Chrome version 73. After version 73, this policy will stop working and all Symantec certificates will be blocked on Chrome Browser and Chrome OS.Before you begin
- Chrome OS will support this policy until version 73. However, other OS’s such as Windows, Linux, or macOS could remove support for Symantec certificates before Chrome 73 is released. If your users are running the Chrome Browser on an OS that no longer supports Symantec certificates, enabling this policy will have no effect and the certificates will not be trusted.
- Enabling this policy is only a temporary solution to give you more time to transition to a permanent solution. Plan your migrations so that your users can access critical webpages during this transition.
- Before rolling out this policy across your organization, test to make sure that your users can still access the sites they need to with this policy enabled.
- This policy lets websites continue to use legacy certificates, and users visiting these sites won’t see any alerts or messages. Enabling this policy could make it difficult for you to discover which servers and sites are using legacy certificates. During the transition period, you should regularly test sites with this policy disabled to determine which sites or services need to be updated.
Applies when users use a Chrome Browser on a Chrome OS device.
From the Admin console Home page, go to Device managementChrome management.
If you don't see Device management on the Home page, click More controls at the bottom.
- On the left, click Chrome management.
- Click User settings.
- (Optional) To apply the settings to an organization:
- Go to the Security Local Trust Anchors Certificates Symantec Corporation’s Legacy PKI Infrastructure section.
- Select one of the following:
- Allow - allows legacy certificates issued by Symantec to be trusted.
- Block - blocks legacy certificates issued by Symantec. This setting enforces the Chrome OS default behavior. Which certificates are blocked depends on the Chrome OS version and the date the certificates were created. See this table for more information.
- At the bottom, click Save.
Settings typically take effect in minutes, but can take up to an hour to apply for everyone.
Applies when users use Chrome Browser on Windows.
Using Group policies
Before you begin: Set up Chrome policies (Windows)On your Windows computer
- Open your Group Policy Management Console.
- Go to User Configuration Policies Administrative Templates Google Google Chrome.
- Click Whether to enable trust in Symantec Corporation’s Legacy PKI Infrastructure.
- Select Enabled.
- Click OK
Applies when users use Chrome Browser on macOS.
Before you begin: Set up Chrome policies (macOS)
In your Chrome configuration profile, add or update the following key. Then deploy the change to your users.
Set the EnableSymantecLegacyInfrastructure key to true:
Applies when users use Chrome Browser on Linux.
Using your preferred JSON file editor:
- Go to your /etc/opt/chrome/policies/managed folder.
- Create a new JSON file. Or open an existing JSON file.
- Update the file with the following code:
- Deploy the update to your users.
- For more information on why Google is ending support for certain Symantec certificates, see Chrome’s Plan to Distrust Symantec Certificates.
- For a detailed description of the policy, see EnableSymantecLegacyInfrastructure.
- For more information on Chrome policy templates, see Set Chrome policies for devices.