Replacing SSL (Secure Socket Layer) Cer­ti­fic­ates affected by browser distrust

The popular internet browsers Google Chrome and Mozilla Firefox have recently announced their plans to distrust any SSL cer­ti­fic­ates issued by the company Symantec before 1^st December, 2017. An SSL cer­ti­fic­ate is an important aspect of a website that handles sensitive, personal in­form­a­tion. Symantec’s Web Security and other PKI solutions have been taken over by the company DigiCert – this ac­quis­i­tion will result in DigiCert updating and mod­ern­ising several aspects of the Symantec model. However, in the meantime, Chrome and Mozilla have decided to remove trust in Symantec SSL cer­ti­fic­ates until these updates are completed.

Chrome and Mozilla’s decision to distrust SSL cer­ti­fic­ates results from a small number of dis­crep­an­cies in SSL cer­ti­fic­ates issued by them between 2015 and now. The main criticism was about Symantec’s ability to ensure a proper au­then­tic­a­tion process for SSL cer­ti­fic­ates. Debates between Symantec and the browser community have spread over several months and have concluded with two main action points laid down by Google Chrome and later confirmed by Mozilla:

1. Symantec must partner up with another Cer­ti­fic­ate Authority to run the SSL au­then­tic­a­tion and issuance processes from a new in­fra­struc­ture.
   
   
2. All SSL cer­ti­fic­ates issued from prior Symantec roots will be dis­trus­ted and need to be replaced without extra cost following phased timeline.

Shortly after this decision, Symantec sold their SSL business to Digicert and started issuing fully compliant SSLl cer­ti­fic­ates from their new CA in­fra­struc­ture on 1^st December, 2017.

Whilst Chrome and Mozilla may be acting in the interest of their customers safety, there are a number of browsers such as Internet Explorer, Safar and Opera who are choosing not to display warning messages to visitors, as they do not believe the threat to be as serious as Chrome and Mozilla claim. Re­gard­less of severity of the security risk, plenty of website operators may have their website affected by this campaign of distrust.

In order to work out whether or not your website’s SSL cer­ti­fic­ates will be affected by this change, you will need to check the validity of the cer­ti­fic­ate. There are a number of online tools that can help you assess the validity of your SSL cer­ti­fic­ates – simple research, select and download your program to check their cer­ti­fic­ate validity. Al­tern­at­ively, checking the validity through your own browser is quite straight­for­ward. Here, we will show you how to check whether your SSL cer­ti­fic­ates are in date or not on Google Chrome and Mozilla Firefox.

Go to the “Details” tab in the second popup window and you will be able to find the validity period dates for the website’s cer­ti­fic­ate.

Simply click on the arrow next to the website con­nec­tion in­form­a­tion and another window will pop open. In the General tab of the pop up window, the Period of Validity will be on display at the bottom.

All affected SSL cer­ti­fic­ates need to be replaced through a Reissue operation. This provides a new cer­ti­fic­ate for the same domain, with the same ex­pir­a­tion date as the one replaced.

Symantec/DigiCert are offering affected customers a new SSL cer­ti­fic­ate free of charge. You will need to create a CSR (Cer­ti­fic­ate Signing Request) for each of the cer­ti­fic­ates you wish to replace/have reissued, which is a standard procedure for sending DigiCert your public key, in­form­a­tion about your company and your domain name. Submit your request, and once DigiCert have re­val­id­ated your domains and or­gan­isa­tions, you will receive the new cer­ti­fic­ate which you can install.