Don't worry, your certificates are not days away from being invalid.

If you have been following the Symantec/Google (and Mozilla) saga you likely know two things: it has been very confusing, and if you use Symantec certificates (or any of its other brands: RapidSSL, Thawte, or GeoTrust) you are going to need to replace your certificates at some point.

Google announced its final plan last week, which will affect existing certificates starting April 2018. However, we have seen that some users are still confused if this is accurate. This post is here to set the record straight.

Google's previous and now outdated proposal would have had a large number of Symantec certificates becoming invalid on August 8th, 2017  as in, a few days from now. This is no longer applicable it's not happening.

Instead, Google opted to push back any action involving existing certificates until April 2018 (in the "Stable" version of Chrome, which most end users use. See our note below on pre-release versions). To learn about Google's final proposal, which you should be planning your changes around, please read this dedicated post.

Some have been concerned that the lack of an official post on Google's Security Blog means it is unclear what plan is being put into action.

We understand the value of a Professional & Official Post, especially when you are about to convince your organization that they don't need to worry about certificate errors in 4 days.

But since that does not exist, we are hoping this post can be the next best thing. We are going to provide citations and everything to give you (and your coworkers) all the reassurance needed to enjoy your weekends.

  1. First, let's look the proposal posted on July 27th. Darin Fisher, VP of Chrome Engineering, wrote:

    "Representing Google Chrome and the Chromium open source project, what follows is our final proposal on this matter. Chrome 66 will distrust Symantec-issued TLS certificates issued before June 1, 2016, which is tentatively scheduled [to release] on April 17, 2018."

    This was the post that superseded previous plans and is Google's final and current dates for removing trust for existing certificates.

    We will say it again: it starts April 2018.We will again plug our summary of Chrome's final plan of action.

  2. A second post from a Googler, this one by Devon O'Brien, who works on Chrome's Security team (see their by-line on this official blog post), reaffirms that the older plan is outdated:

    "The previously-stated August 2017 dates are no longer applicable."

  3. Finally, Peter Bowen, who runs Amazon's Certificate Authority and is an expert on how browser trust works, explained (in two different posts) that at this point it would be technically impossible for Symantec certificates to be affected on August 8th because no code has been added to Chrome to do that:

    "As of this morning [August 3rd], there is zero code landed in Chromium to implement any of the changes here, so August 8 is very much not happening"

Hopefully, this can set the record straight and clear up any confusion people may have had. It's April 2018, not August 2017. Capisce?

A Note On "Beta" and "Canary"

Google distributes four versions of Chrome: "Stable," "Beta," "Dev," and "Canary." It refers to these as its channels.™

The Stable channel is the version for the general public. This is the fully-tested, "standard" version that is on hundreds of millions of computers.

The other three versions are all pre-release versions that allow you to test upcoming versions of Chrome before they are finalized. That does not mean these are some sort of unstable, crazy-looking alternatives. For the most part, the other three Chrome channels look and feel the same and are fairly usable.

Each channel is rougher than the last: meaning it has been tested less and has more bugs. Each Chrome version passes through the channels starting at Canary, usually months in advance and makes its way to Stable when it is ready for prime time.

The majority of your websites' customers and visitors will be using Stable, however, some small percentage will be on one of the other channels and will see Symantec certificates become untrusted earlier.

So, if you can, you should try to replace affected certificates early in order to avoid inconveniencing this small portion of users.

Here is an approximate breakdown of when Chrome versions 66 and 70, the two versions which will have changes for Symantec certificates, release for each channel. The exact dates may change slightly due to delays or distribution:

  Stable Beta Canary
Chrome 66 

Certificates Affected:

Any Symantec certificates issued before June 1st, 2016

April 17, 2018 March 15, 2018 Jan 19, 2018
Chrome 70

Certificates Affected:

ALL Symantec certificates issued from their current roots (which will be everything issued before December 1st, 2017).

Oct 23, 2018 Sept 13, 2018 July 31, 2018

(These dates are calculated from Darin Fisher's post and from this Chromium page. The Dev channel is not included because it does not have a strict release schedule.)