TLS certificates by Symantec in new infrastructure and incorporation with DigiCert

The TLS certificates by the certificate authority Symantec will be integrated in to a new infrastructure, which will result from a fusion of Symantec´s PKI with the corporation DigiCert. This fusion will make it necessary to reissue the current certificates. In the following text we will provide you with all the important information.

New PKI infrastructure

As a result of the joint ventures, the PKI products (so called Website Security Solutions) and assets of Symantec will merge with the certificate authority DigiCert. DigiCert will serve the Symantec certificates as a subordinate certificate authority (Sub-CA) which will carry out the verification of the certificates for Symantec. All other steps in the issuing process will not be affected and customers will be able to obtain their certificates as usual.

The advantage this change will bring is that both CAs will focus solely on the issuance of TLS certificates, which will simplify and speed up the process.

Until now, DigiCert has been focused primarily on enterprise customers – due to the change, the corporation will now be able to expand their operations by including the end customers, whereas Symantec´s customers will be able to choose from a wider range of products, as certificates will be added that Symantec has not offered before – like S/MIME solutions.

Both certificate authorities will be merged into one corporation after the transaction has been completed (Q3 2018). You can therefore look forwards to an expanded offer in the near future, which will also include DigiCert´s current products. The SSL/TLS certificates by Symantec will not be changed of course.

The reason for changing the infrastructure is the conflict with Google. The internet giant wanted to withdraw the trust in Chrome from the certificates that were issued without Certificate Transparency, and later also from the certificates that were issued within the old PKI by Symantec. The current operation will resolve the issue and there will be no problems with certificates issued within the new PKI.

The change to the new PKI by Symantec and DigiCert requires a reissue of the affected certificates, which is also necessary for a continuing trustworthiness.

Launching the new infrastructure

The new infrastructure will be launched on 1.12.2017. New root certificates will be provided and added to all lists of the root CAs from November. New root certificates RSA 4096 and ECC 384 will be generated. The products will be diversified by Sub-CAs (intermediate certificates).

The compatibility with older devices will be guaranteed by a second root certificated by Verisign G5 (so called cross signing process).

Reissue of the current certificates

As mentioned before, the change to the new infrastructure will resolve the dispute with Chrome and the certificates will not cause any issues. Certificates issued before the merge will be reissued free of charge – according to the following scenario:

  • Certificates issued before 01.06.2016 with an expiry date before 13.09.2018 ought to be reissued immediately
  • Certificates issued before 01.06.2016 with an expiry date after 13.09.2018 ablaufen, ought to be reissued between 01.12.2017 and 15.03.2018
  • Certificates issued before 1.12.2017 with an expiry date after 013.09.2018 ought to be reissued between 01.12.2017 and 13.09.2018

The reissue is free of charge and can be carried out in the customer portal. All parameters of the certificates – including the expiry date – will remain the same.

We will inform our customers about the necessary reissue of all their certificates You will receive a list of the affected certificates for every customer account.

We are happy to help you with the reissue process

Each customer will receive a list of certificates that need to be reissued within the mentioned time frames. You will find the option to initiate the reissue process after logging into the SSLmarket customer portal, but you can also contact our customer support any time.

If you need a new CSR for the reissue – if you use a Windows server – you can generate it within SSLmarket and create a PFX file for Windows servers after the certificate has been issued.

Please note: the aforementioned information does not apply to Code Signing certificates.