Hardenize has joined Red Sift! Find out more in our blog post.


Welcome to the Hardenize blog. This is where we will document our journey as we make the Internet a more secure place and have some fun and excitement along the way.

15 Aug

Monitoring of Symantec Certificates

by Ivan Ristić

Google and Mozilla are planning to deprecate all existing Symantec certificates, cutting short their lifetime. This causes a significant operational problem for many organizations who will need to identify all affected certificates and then replace them before they are made invalid. To assist with this process, in Hardenize we’ve added detection of Symantec certificates (all brands) and we now present effective expiration dates.

In March 2017 Google dropped a bombshell and announced that they had lost confidence in Symantec’s certificate issuance policies and practices, and said that they would deprecate all Symantec’s certificates at an aggressive schedule. By the end of the deprecation process, the lifetime of the affected certificates would be limited to only 9 months.

In the months that followed a series of discussions took place among Google, Mozilla, Symantec and members of the community. In the end, Google and Symantec made a deal in which Symantec would outsource the management of their PKI to another CA. All certificates issued by Symantec would still be deprecated, however no restrictions would be placed on the lifetime of the new certificates (those not issued by Symantec directly). Mozilla decided to follow Google's plan. The new infrastructure is expected to be operational on December 1st, 2017.

In a yet another turn of events, just a couple of days after the final proposal had been published, Symantec announced that they would sell their certificate to DigiCert, the same company they had chosen to manage their new PKI infrastructure. In the light of this change of control, Google has postponed the formal announcement of their actions, but the expectation is that they would proceed with few or no changes. We will update our implementation if some of the details change in the future.

The good news is that the final plan is much simpler than the one initially circulated. There are now only two batches of deprecation. The first batch affects all certificates issued prior to June 2016, which will stop working in March 2018. The second deadline is September 2018, when all “old” Symantec certificates will stop working. Overall, it’s pretty straightforward, with one caveat: if you have any Symantec certificates that expire before December 2017, you’ll need to replace them again before September 2018 (if you stay with Symantec, of course).