Apr 03, 2018 Andrew Mayo

Symantec security certificates – the clock is ticking

Symantec security certificates – the clock is ticking

Late last year, Google indicated that it will no longer consider Symantec-authored certificates as trusted within the Chrome browser, effective mid-April 2018. Mozilla is understood to be implementing changes to Firefox effective in May 2018.

Google took this action because they allege that Symantec failed to exercise due diligence in the issuing of critical root certificates on more than one occasion, an action which could have fundamentally compromised the ‘web of trust’ on which users rely.

As a consequence, Symantec has divested their CA business to DigiCert.

However, this issue has consequences for customers of Symantec and the certificates they may be using within their corporate infrastructure.

If your organization has public-facing web servers associated with these certificates after those dates, Chrome and Firefox users will receive a message indicating that the server security certificate is untrusted.

While Apple and Microsoft haven’t publicly stated a position here, it’s not unlikely that they will in due course update their browsers in a similar way.

Now, it’s fairly easy to check your public-facing corporate internet sites using SSL checkers such as the one here.

But what about your internal networks? Often, critical corporate infrastructure contains internal websites used for managing and disseminating information through the organization. Users could have issues accessing these sites if their certificates are no longer trusted by the browser being used.

Fortunately, with Tachyon it’s easy to track down certificates across your estate. Here we examine specifically the trusted root CAs because it is these certificates that are important in this context. However, Tachyon has a wide range of certificate management instructions which go far beyond this capability.

clock is ticking

Almost immediately, Tachyon’s scaleable infrastructure distributes the question to the endpoints and collates the results, a subset of which are shown here.

clock is ticking

Using Tachyon’s powerful filtering capabilities, we can quickly drill down to the vital information we seek.

cock is ticking

We’re not limited, though, to just passively querying our estate. Using Tachyon, it’s equally simple to push out replacement certificates to the endpoints we want to update. And Tachyon allows you to quickly and easily add new instructions, personalized to reflect your specific business challenges. Through the Tachyon Exchange,  it’s possible to browse for customized solutions created by both our own engineers and our business partners.

clock is ticking


So don’t let the clock tick down on you. Take action now with Tachyon. Oh, and don’t forget. Certificates from Thawte, GeoTrust and RapidSSL may also be affected. Although Google and Mozilla have indicated that the Chrome and Firefox checks are focussed on certificates where the root of the trust chain involves Symantec, these CAs were affiliated with Symantec and their certificates probably need to be replaced in due course.