How to migrate from Symantec certificates
Symantec certificates issued before December 2017 are being phased out of support starting with Chrome OS version 66. In Chrome OS version 70 and later, Chrome OS will stop supporting Symantec certificates. All certificates issued under Symantec brands such as GeoTrust, Equifax, Thawte, RapidSSL, and VeriSign, and those from Symantec resellers are impacted by this change.
My enterprise uses Symantec certificates
Work with your webmaster to identify where you use Symantec certificates in your domains, and replace these as soon as possible. You can use a certificate from any Certificate Authority trusted by Chrome. This includes DigiCert which has purchased Symantec's business.
My enterprise has legacy devices that only trust Symantec certificates
Some legacy devices, such as point-of-sale terminals, phone systems, or other forms of integrated hardware, are only capable of trusting Symantec certificates. If this applies to you, contact the device suppliers and ask them to support other Certificate Authorities.
If your devices can’t be updated immediately, and they use the same web servers as your Chrome users, you can enable temporary support for Symantec certificates until you replace or upgrade your devices. If this applies to you, contact the DigiCert representative assigned to your Symantec account to develop a plan to transition to a new Certificate Authority.
My enterprise depends on partners that use Symantec certificates
If your enterprise depends on a partner site that uses Symantec certificates, contact the webmaster to find out their schedule for replacing the certificates. These sites should transition their certificates immediately, to avoid any disruption to your enterprise
If your partner can’t update their site immediately, consider enabling temporary support for Symantec certificates, until the site is updated.
Enable temporary support for Symantec certificates
To give you more time to transition from Symantec certificates, you can set a user policy in the Admin console to temporarily support legacy Symantec certs. This policy will work until Chrome OS version 73. After version 73, this policy will stop working and all Symantec certificates will be blocked on Chrome OS.
Before you begin
- Enabling this policy is only a temporary solution to give you more time to transition to a permanent solution (before Chrome OS 73).
- Chrome OS will support this policy until version 73. However, other OS’s such as Windows, Linux, or macOS could remove support for Symantec certificates before Chrome 73 is released. If your users are running the Chrome browser on an OS that no longer supports Symantec certificates, enabling this policy will have no effect and the certificates will not be trusted.
- Before rolling out this policy across your organization, test to make sure that your users can still access the sites they need to with this policy enabled. Make sure also that you have a plan to migrate to new certificates before Chrome OS version 73, and that your users can access critical webpages during this transition.
- This policy lets websites continue to use legacy certificates, and users visiting these sites won’t see any alerts or messages. Enabling this policy could make it difficult for you to discover which servers and sites are using legacy certificates. During the transition period, you should regularly test sites with this policy disabled to determine which sites or services need to be updated.
Enable support for legacy Symantec certificates on Chrome OS
From the Admin console dashboard, go to Device managementChrome management.
If you don't see Device management on the dashboard, click More controls at the bottom.
- Click User settings.
- (Optional) To apply the settings to an organization:
- Go to the Security Local Trust Anchors Certificates Symantec Corporation’s Legacy PKI Infrastructure section.
- To allow legacy certificates issued by Symantec to be trusted, select Allow.
- To block legacy certificates issued by Symantec, select Block.
This setting enforces the Chrome OS default behavior. Which certificates are blocked depends on the Chrome OS version and the date the certificates were created. See this table for more information:
Chrome OS version Default behavior (block) Chrome 66 to Chrome Chrome 69 Distrust Symantec-issued certificates issued after 2017/12/01 and before 2016/06/01, but allow all certificates issued between these dates. Chrome 70 to Chrome 73 Distrust all Symantec-issued certificates.
- At the bottom, click Save.
Settings typically take effect in minutes, but can take up to an hour to apply for everyone.
- For more information on why Google is ending support for certain Symantec certificates, see Chrome’s Plan to Distrust Symantec Certificates.