Cross-posted from the Google Security Blog.

We beforehand introduced plans to deprecate Chrome’s belief within the Symantec certificates authority (together with Symantec-owned manufacturers like Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL). This submit outlines how web site operators can decide in the event that they’re affected by this deprecation, and in that case, what must be accomplished and by when. Failure to interchange these certificates will end in web site breakage in upcoming variations of main browsers, together with Chrome.

Chrome 66

If your web site is utilizing a SSL/TLS certificates from Symantec that was issued earlier than June 1, 2016, it would cease functioning in Chrome 66, which might already be impacting your customers.

If you’re unsure about whether or not your web site is utilizing such a certificates, you possibly can preview these modifications in Chrome Canary to see in case your web site is affected. If connecting to your web site shows a certificates error or a warning in DevTools as proven beneath, you’ll want to interchange your certificates. You can get a brand new certificates from any trusted CA, together with Digicert, which just lately acquired Symantec’s CA enterprise.

An instance of a certificates error that Chrome 66 customers would possibly see if you’re utilizing a Legacy Symantec SSL/TLS certificates that was issued earlier than June 1, 2016. 

The DevTools message you will note if you must exchange your certificates earlier than Chrome 66.

Chrome 66 has already been launched to the Canary and Dev channels, which means affected websites are already impacting customers of those Chrome channels. If affected websites don’t exchange their certificates by March 15, 2018, Chrome Beta customers will start experiencing the failures as effectively. You are strongly inspired to interchange your certificates as quickly as doable in case your web site is at the moment displaying an error in Chrome Canary.

Chrome 70

Starting in Chrome 70, all remaining Symantec SSL/TLS certificates will cease working, leading to a certificates error just like the one proven above. To examine in case your certificates shall be affected, go to your web site in Chrome right this moment and open up DevTools. You’ll see a message within the console telling you if you must exchange your certificates.

The DevTools message you will note if you must exchange your certificates earlier than Chrome 70.

If you see this message in DevTools, you’ll need to exchange your certificates as quickly as doable. If the certificates aren’t changed, customers will start seeing certificates errors in your web site as early as July 20, 2018. The first Chrome 70 Beta launch shall be round September 13, 2018.

Expected Chrome Release Timeline

The desk beneath reveals the First Canary, First Beta and Stable Release for Chrome 66 and 70. The first influence from a given launch will coincide with the First Canary, reaching a steadily widening viewers as the discharge hits Beta after which in the end Stable. Site operators are strongly inspired to make the mandatory modifications to their websites earlier than the First Canary launch for Chrome 66 and 70, and no later than the corresponding Beta launch dates.

First Canary
First Beta
Stable Release
Chrome 66
January 20, 2018
~ March 15, 2018
~ April 17, 2018
Chrome 70
~ July 20, 2018
~ September 13, 2018
~ October 16, 2018

For details about the discharge timeline for a selected model of Chrome, you too can seek advice from the Chromium Development Calendar which shall be up to date ought to launch schedules change.
In order to handle the wants of sure enterprise customers, Chrome can even implement an Enterprise Policy that enables disabling the Legacy Symantec PKI mistrust beginning with Chrome 66. As of January 1, 2019, this coverage will not be accessible and the Legacy Symantec PKI shall be distrusted for all customers.

Special Mention: Chrome 65

As famous within the earlier announcement, SSL/TLS certificates from the Legacy Symantec PKI issued after December 1, 2017 are not trusted. This shouldn’t have an effect on most web site operators, because it requires getting into in to particular settlement with DigiCert to acquire such certificates. Accessing a web site serving such a certificates will fail and the request shall be blocked as of Chrome 65. To keep away from such errors, be sure that such certificates are solely served to legacy units and to not browsers reminiscent of Chrome.

This article sources info from Google Webmaster Central Blog