What to Do If Your Users Are Seeing Warning Messages in Your Browser

All legacy Symantec account portals have moved to CertCentral. Log in below if you’ve already activated your CertCentral account. If not, contact our sales or support teams here. They will send you an email with a unique link to access your account. Login

What to Do If Your Users Are Seeing Warning Messages in Chrome and Other Browsers

Here, you’ll find the information you need to replace your DigiCert-issued certificates and stop user warnings from displaying on your site.

What is happening?

Google Chrome, Mozilla Firefox, and other major browsers are in the process of deprecating trust in certificates that were issued off DigiCert Certificate Authority infrastructure. This includes DigiCert, GeoTrust, Thawte, and RapidSSL certificates.

DigiCert will replace all affected certificates at no cost. Additionally, you do not need to switch to a new account or platform. Continue to use your current DigiCert Website Security, GeoTrust, Thawte, or RapidSSL account to replace and order your SSL/TLS certificates. For a step-by-step guide to reissuing your certificates, skip to the bottom of this page.

What sites does this affect?

If your site is using a certificate in the DigiCert group of brands that was issued before June 1, 2016, the Chrome 66 update is likely displaying warning messages to your users. For further details on the Chrome timeline, read our blog post.

If you have a certificate affected by this distrust, your users will see a warning that their “connection is not private,” as shown in the screenshot below.

Connection Not Private

How do I replace my affected certificates?

Follow these simple steps:

Sign in to your existing DigiCert, Thawte, GeoTrust, or RapidSSL account.
Find the certificate(s) you need to replace.
Create a CSR (certificate signing request).
Select the replace/reissue certificate option.
Submit your replacement/reissue request.
As soon as DigiCert has revalidated/re-authenticated your domains and organizations (as required for the certificate type), we will reissue your replacement certificate.
Install your SSL/TLS certificate.

Following these steps will give you the same branded certificate you’ve been using on your site, reissued on the trusted DigiCert infrastructure.

Brand-Specific Certificate Replacement Instructions

DigiCert Complete Website Security
DigiCert PKI Platform
DigiCert Trust Center
DigiCert Trust Center Enterprise
Thawte Certificate Center (TCC)
Thawte Certificate Center Enterprise (TCCE)
GeoTrust Security Center (GSC)
GeoTrust Enterprise Security Center (GESC)
RapidSSL Security Center

FAQs

How do I know if I need to replace my certificates?

If affected, you will receive a message (either email or phone call) from DigiCert, letting you know which certificates need to be replaced. If you want to take action now, reach out to your account representative or our Support team. Any impacted certificate will function properly until March 15, 2018, but to avoid potential issues we highly recommend you renew (if applicable) or replace any impacted certificates before March 15th.

Should I “renew” or “replace” if I’m within my 90-day renewal window?

If you’re within your 90-day renewal window, you should RENEW instead of replacing your affected certificate(s). Renewal will resolve the issue.

How long will it take for me to receive my replacement?

Our normal processing time is three to five days, however, it may take longer if we need you to provide more information. For example, when you replace your certificate, we will need to revalidate, which may require a verification call* or other validation checks. If we request an action from you, please comply as soon as possible to avoid delays. If you have multiple certificates for the same organization, subsequent requests should be issued faster if pre-validation was successful. FYI, we’re anticipating a high demand leading up to March 15th and through the first quarter. Request replacements or renewals as soon as possible.

*Note regarding verification call:
Verification calls normally happen within 24 hours after the replacement request has been placed. DigiCert will call a verified phone number to complete the organization validation and authentication.

If I have to replace my certificate, do I have to replace it using the DigiCert platform?

Not necessarily. You should replace your certificate on the same portal or console where you made your original purchase.

How can I know the status of the replacement process?

Not necessarily. You should replace your certificate on the same portal or console where you made your original purchase.

Can you describe the difference between replace, reissue, and revoke?

Replace and reissue mean the same thing. Symantec and Thawte use replace; GeoTrust, RapidSSL, and partners use reissue. Revoke means the certificate is no longer usable, regardless of brand. If you get a message from us that uses replace or reissue, the action is the same: you need to get a new certificate to avoid distrust dates set by Google.

Why are only DigiCert, Thawte, GeoTrust, and RapidSSL certificates required to be replaced?

Read our blog post for more information.

I have certificates that will be distrusted in March and some in September. Should I replace them at the same time?

We recommend you focus on replacing your certificates that need to be replaced by the March 15th date at this time.

What happens to the installed certificate that is being replaced?

Your impacted certificate will only work until the distrust date. You should install your replacement certificate promptly.

What happens if I don’t replace my certificate?

After March 15, 2018, when users visit your website using Chrome or Firefox, they will see a browser warning that says the SSL/TLS certificate on your site is distrusted, and your site is not secure. It may look like the example below.

Do the distrust dates apply to certificates issued from VeriSign roots, or only to DigiCert, Thawte, GeoTrust, and RapidSSL certificates?

The distrust dates will apply to all certificates issued from VeriSign roots, including DigiCert, Thawte, GeoTrust, and RapidSSL certificates.

Is Chrome the only browser which will distrust these certificates?

No. Chrome and Firefox have a schedule to distrust these certificates, and we anticipate other browsers to make the same changes in the future.
For more information on Google’s (Chrome) statement, read here.
For more information on Mozilla’s (Firefox) statement, read here.

What about 3-year certificates?

We recommend replacing your 3-year certificates before February 20, 2018, so you get their full validity period. As of March 1, 2018, Certificate Authorities will no longer issue 3-year OV and DV certificates. Additionally, all OV and DV replacement certificates issued after February 28, 2018 can only have a maximum validity of 825 days, regardless of how much time remains on the certificate order. See End of Life for 3-Year OV & DV Certificates.

Products

Enterprise PKI Platform

CertCentral Certificate Manager

Choose Your TLS/SSL

Help Me Choose a Product

Go Beyond Encryption

TLS/SSL Certificates

Desktop and Mobile Code Signing Certificates

Enterprise