Migrate from Symantec certificates

Applies to managed Chrome Browsers and Chrome devices.

Symantec® certificates issued before December 2017 are being phased out of support starting with Chrome version 66 (applies to Chrome Browser and Chrome OS). In Chrome version 70 and later, Chrome Browser and Chrome OS will stop supporting Symantec certificates. All certificates issued under Symantec brands such as GeoTrust®, Equifax®, Thawte®, RapidSSL®, and VeriSign®, and those from Symantec resellers are impacted by this change.

Visitors to websites that use a Symantec certificate no longer trusted may see an error message. Also, sites that use resources (such as Javascript or CSS stylesheets) served by a host that uses a Symantec certificate, may no longer work correctly.

Which certificates are blocked depends on the Chrome version and the date the certificates were created.

Chrome version Default behavior (block)
Chrome 66 to Chrome 69 Distrust Symantec-issued certificates issued after 2017/12/01 and before 2016/06/01, but allow all certificates issued between these dates.
Chrome 70 to Chrome 73 Distrust all Symantec-issued certificates.

Plan your migration

Assess your deployment to determine the best solution for your enterprise. Click below for steps, depending on how and where you use certificates.

My enterprise uses Symantec certificates
Work with your webmaster to identify where you use Symantec certificates in your domains, and replace these as soon as possible. You can use a certificate from any Certificate Authority trusted by Chrome. This includes DigiCert which has purchased Symantec's business.
Our legacy devices only trust Symantec certificates

Some legacy devices, such as point-of-sale terminals, phone systems, or other forms of integrated hardware, are only capable of trusting Symantec certificates. If this applies to you, contact the device suppliers and ask them to support other Certificate Authorities.

If your devices can’t be updated immediately, and they use the same web servers as your Chrome users, you can enable temporary support for Symantec certificates until you replace or upgrade your devices. If this applies to you, contact the DigiCert representative assigned to your Symantec account to develop a plan to transition to a new Certificate Authority.

Our partners use Symantec certificates

If your enterprise depends on a partner site that uses Symantec certificates, contact the webmaster to find out their schedule for replacing the certificates. These sites should transition their certificates immediately, to avoid any disruption to your enterprise

If your partner can’t update their site immediately, consider enabling temporary support for Symantec certificates, until the site is updated.

Enable temporary support for Symantec certificates

To give you more time to transition from Symantec certificates, you can set a user policy to temporarily support legacy Symantec certificates. This policy will work until Chrome version 73. After version 73, this policy will stop working and all Symantec certificates will be blocked on Chrome Browser and Chrome OS.

Before you begin
  • Chrome OS will support this policy until version 73. However, other OS’s such as Windows, Linux, or macOS could remove support for Symantec certificates before Chrome 73 is released. If your users are running the Chrome Browser on an OS that no longer supports Symantec certificates, enabling this policy will have no effect and the certificates will not be trusted.
  • Enabling this policy is only a temporary solution to give you more time to transition to a permanent solution. Plan your migrations so that your users can access critical webpages during this transition.
  • Before rolling out this policy across your organization, test to make sure that your users can still access the sites they need to with this policy enabled.
  • This policy lets websites continue to use legacy certificates, and users visiting these sites won’t see any alerts or messages. Enabling this policy could make it difficult for you to discover which servers and sites are using legacy certificates. During the transition period, you should regularly test sites with this policy disabled to determine which sites or services need to be updated.
Admin console

Applies when users use a Chrome Browser on a Chrome OS device.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Device managementand thenChrome management.

    If you don't see Device management on the Home page, click More controls at the bottom.

  3. On the left, click Chrome management.
  4. Click User settings.
  5. (Optional) To apply the settings to an organization:
    1. On the left, select the organization.
    2. Make sure Managed Chrome Browser is turned on for this organization.
      Learn more about the organizational structure.
  6. Go to the Security and then Local Trust Anchors Certificates and then Symantec Corporation’s Legacy PKI Infrastructure section.
  7. Select one of the following:
    1. Allow - allows legacy certificates issued by Symantec to be trusted.
    2. Block - blocks legacy certificates issued by Symantec. This setting enforces the Chrome OS default behavior. Which certificates are blocked depends on the Chrome OS version and the date the certificates were created. See this table for more information.
  8. At the bottom, click Save.
    Settings typically take effect in minutes, but can take up to an hour to apply for everyone.
Windows

Applies when users use Chrome Browser on Windows.

Using Group policies

Before you begin: Set up Chrome policies (Windows)

On your Windows computer
  1. Open your Group Policy Management Console.
  2. Go to User Configuration and then Policies and then Administrative Templates and then Google and then Google Chrome.
  3. Click Whether to enable trust in Symantec Corporation’s Legacy PKI Infrastructure.
  4. Select Enabled.
  5. Click OK
macOS

Applies when users use Chrome Browser on macOS.

Before you begin: Set up Chrome policies (macOS)

In your Chrome configuration profile, add or update the following key. Then deploy the change to your users.

  • Set the EnableSymantecLegacyInfrastructure key to true:
    <key>EnableSymantecLegacyInfrastructure</key>
         <true/>

Linux

Applies when users use Chrome Browser on Linux.

Using your preferred JSON file editor:

  1. Go to your /etc/opt/chrome/policies/managed folder.
  2. Create a new JSON file. Or open an existing JSON file.
  3. Update the file with the following code:
    {
    "EnableSymantecLegacyInfrastructure": "true"
    }
  4. Deploy the update to your users.

Related Links

Was this article helpful?
How can we improve it?