Rajiv Aaron Manglani

Impact of the Google/Symantec SubCA transition on Akamai Secure CDN Customers

Blog Post created by Rajiv Aaron Manglani Employee on Aug 29, 2017

Background on the Google/Symantec SubCA Transition

At the beginning of 2017, the Google Chrome team started investigating Symantec for mis-issuing certain TLS server certificates. Over the last five months, Google and Symantec have been working to restore the industry’s confidence in certificates issued by Symantec, including certificates under the GeoTrust, RapidSSL, and Thawte brands. As always, Akamai is in close contact with Symantec, our certificate partner, providing feedback on the proposals, and representing our customers’ interests.

 

Google and Symantec have now indicated that trust for certificates issued by Symantec from their existing PKI infrastructure will be phased out by the Google Chrome browser in two phases, April 2018 and October 2018. After these dates, Google Chrome (and other browsers that follow suit) will stop showing the “secure padlock” for sites presenting these certificates. They may even show “insecure site” warnings in the address bar or on error pages. All existing Symantec certificates need to be renewed on their new PKI infrastructure (available on or before December 1, 2017) to continue to be trusted in future versions of Google Chrome.

 

Akamai is committed to making this transition smooth for our customers. Most of the affected customer certificates will rotate automatically, before Chrome’s scheduled actions. In these cases, there is no action customers need to take. Some Akamai-managed customer certificates and some third-party (customer-managed) certificates will need to be rotated early. For these certificates, Akamai will shift the scheduled renewal start date to be several months before the Chrome distrust dates. This will give time for those certificates to be rotated before the scheduled distrust dates. In all cases, customers can choose to rotate their certificates early through CPS. See below for more details.

 

Affected Certificates

The upcoming changes, affect all certificates issued by Symantec. For Akamai customers, this includes:

  • All Akamai-managed Symantec OV Single, SAN, Wildcard, and Wildcard SAN certificates,
  • All Akamai-managed GeoTrust OV Single, SAN, and Wildcard certificates,
  • All Akamai-managed Symantec EV Single and SAN certificates, and
  • Some customer-managed third-party certificates.

 

Akamai-managed certificates issued by Comodo and Let’s Encrypt are not affected by these changes.

 

Distrust Schedule

Chrome 66 (beta in March 2018, stable April 2018) will no longer trust Symantec-issued certificates with a Not Before date of June 1, 2016 or prior.

  • No currently-valid Akamai-managed Symantec- or GeoTrust-branded OV certificates are affected by this phase out. All current Akamai-managed OV certificates were issued after June 1, 2016.
  • No currently-valid Akamai-managed Symantec-branded EV certificates are affected by this phase out. All current Akamai-managed EV certificates were issued after June 1, 2016.

 

Chrome 70 (beta in September 2018, stable October 2018) will no longer trust any Symantec-issued certificates issued prior to December 1, 2017, or from their old PKI infrastructure.

  • All Akamai-managed Symantec- and GeoTrust-branded OV certificates are affected by this phase out.
  • All Akamai-managed Symantec-branded EV certificates are affected by this phase out.

 

Google and Symantec have indicated that certificates issued by Symantec and GeoTrust after December 1, 2017 will be trusted in all planned future versions of Chrome.

 

New Trust Chains

Google and Symantec have indicated that all certificates issued after December 1, 2017 will be issued on a new PKI platform. New certificates will be issued with different trust chains (intermediate and root certificates) from those obtained today. Most customers will not notice this change as certificates issued with the new trust chains will continue to be trusted by existing browsers. This will be accomplished by providing a cross-signed root. For example, today Akamai obtains Symantec OV SAN certificates in this structure:

End-entity certificate
signed by the “G4 intermediate”:
C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
signed by the “G5 root”:
C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

 

When TLS clients connect to the Akamai edge servers, we send the end-entity certificate and the intermediate certificate to the connecting client. The root does not need to be sent (and should not be sent) to the connecting client as the root certificate is assumed to already be in the client’s trusted root store on the device or web browser. This way the client can construct a trust path from the end-entity certificate to a locally trusted root.

 

Akamai-managed OV SAN certificates issued by Symantec’s new PKI infrastructure after December 1, 2017 will have this structure:

End-entity certificate
signed by the new Symantec intermediate:
(DN still to be determined)
signed by the new Symantec root:
(DN still to be determined)
signed by the existing “G5 root”:
C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

 

Akamai will send the end-entity certificate, the intermediate, and a cross-signed version of the new Symantec root to connecting clients. This trust chain will enable clients that have already added the new Symantec root to their trust stores to build a trust chain terminating in the new root that is in their trusted root store. It also enables clients which have not yet added the new root (or those that never will) to construct a trust path from the end-entity certificate to the existing trusted “G5” root.

 

Certificates with the legacy “Cross-signed 1k root” option enabled in CPS will see a new trust chain with this structure:

End-entity certificate
signed by the new Symantec intermediate:
(DN still to be determined)
signed by the new Symantec root:
(DN still to be determined)
signed by the existing “G5 root”:
C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
signed by the existing “1k root”:
C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

 

We recommend that customers move away from the 1k root as soon as possible. Most customers have no need for the 1k root as TLS clients have been upgraded to support the Default trust chain. This can be accomplished today in CPS by selecting the “Default” trust chain for your certificates.

 

Google and Symantec have indicated that Akamai customers should expect new trust chains for all Akamai-managed OV and EV certificate types, from both GeoTrust and Symantec. DigiCert has announced their intention to purchase Symantec’s PKI business. The root certificates in these new trust chains may be newly generated under the Symantec brand, or they may be an existing DigiCert root. These new trust chains have not yet been generated, and the industry has yet to receive them from Symantec. Once the complete trust chains are available, we will update this announcement, and post them on our Community page SSL/TLS certificate chains for Akamai-managed certificates.


What actions do customers need to take?

  • If your certificates were issued prior to June 1, 2016, they will need to be renewed prior to April 2018. We will reach directly to the affected customers and will start early renewal of these certificates in January 2018.
  • All currently-valid Akamai-managed OV certificates issued prior to October 2017 will automatically rotate on their regular schedule 60 days prior to expiration. This means that existing and future certificates, issued prior to October 2017, will all naturally expire prior to being distrusted in October 2018. Existing certificates will continue to be trusted by browsers until they are replaced with the newly issued certificates. No customer actions beyond responding to the validation emails and phone calls from Symantec are required.
  • All other Akamai-managed OV certificates issued between October 2017 and December 2017, as well as all Akamai-managed EV certificates, regardless of issuance date, will need to be renewed prior to October 2018. Starting in January 2018, we will be in touch with the affected customers. We intend to shift the renewal dates earlier for existing certificates so their replacements can be issued prior to the October 2018 distrust date.
  • The scheduled distrust of Symantec-issued certificates applies to all Symantec brands including GeoTrust, RapidSSL, and Thawte. Customers who have third-party certificates on the Akamai Secure CDN from these brands may also be affected by these changes. These third-party certificates can be renewed after December 1, 2017 by generating and downloading a CSR from our Certificate Provisioning System (CPS), and sending that CSR to Symantec to obtain a new certificate.
  • At any time, customers can force early renewal of their certificates (both Akamai-managed and third-party) by going into CPS and performing an “Edit and Submit” action for your certificate. We recommend waiting until after December 1, 2017 when certificates will be issued by Symantec’s new PKI infrastructure.

 

FAQ

Is there a cost or contract impact because of this change?

No, your current contracted rates remain intact. No additional Akamai paperwork is required.

 

Why is Akamai continuing to partner with Symantec for certificate issuance?

Symantec, and soon to be DigiCert, is the global leader in SSL/TLS certificate issuance. They continue to be the best fit for the needs of our customer base. As announced in April 2016, Symantec remains our strategic partner for issuance of OV and EV certificates.

 

What if I do not want an OV or EV certificate from Symantec?

Akamai offers fully managed and automated DV SAN certificates from Let’s Encrypt. We also offer a third-party solution that gives customers the ability to get an SSL certificate of any type from their provider of choice.

 

How will the sale of Symantec’s PKI business to DigiCert affect my certificates?

DigiCert’s parent company, Thoma Bravo, has announced their intention to acquire the Symantec PKI business in Q4 2017 (Symantec’s fiscal Q3 2018). Under current plans, this purchase will not impact the transition process outlined above. Even after the sale, customers with Akamai-managed OV and EV certificates will continue to use the same provisioning process as they do today, using CPS in our Luna portal. Google and Symantec have indicated certificates issued after December 1, 2017 on the new Symantec infrastructure will continue to be trusted until their expiration date.

 

My applications are sensitive to trust chain changes. What should I do?

Ensure that Change Management (“Test on Staging”) is turned on for your certificates in our Certificate Provisioning System (CPS). This feature will allow you to inspect and test new certificates in Staging prior to production deployment. Akamai strongly discourages customers from pinning certificates in their applications.

 

Can you provide the new trust chains before my certificate is rotated?

Akamai will post the new trust chains, including intermediate certificates and roots, once they are available, in our Community at SSL/TLS certificate chains for Akamai-managed certificates.

 

What if my applications require a 1k root like the one provided by the “C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority” root?

We recommend that customers move away from the 1k root as soon as possible. This can be accomplished today in CPS by selecting the “Default” trust chain for your certificates. Akamai will continue to offer a trust chain with a cross-signed 1k root certificate for Symantec OV customers. Please see above for more details.

 

Can I obtain a new Symantec certificate prior to December 2017?

Customers can reissue certificates at any time by going into CPS and performing an “edit and submit” action for your certificate. We recommend waiting until after December 1, 2017 when certificates will be issued by Symantec’s new PKI infrastructure.

 

Why is Akamai waiting for most certificates to expire and be replaced, instead of forcing early renewal after December 2017?

While we could initiate early renewals of all our customers’ Symantec certificates, we manage tens of thousands of certificates on our Secure CDN. It is better for everyone, including our customers, if the renewal dates for certificates are spread out throughout the year.

 

When my certificate request is submitted to Symantec after December 1, 2017, will I have to go through the OV or EV validation process again?

The exact validation steps at the time of certificate renewal will be determined by Symantec following the industry-standard CA/Browser Forum guidelines, and as further indicated by Symantec and Google.

 

I’m an existing GeoTrust customer. What happens to my GeoTrust certificate?

Customers with GeoTrust certificates, a Symantec brand, issued through Akamai will continue to be renewed on GeoTrust. All GeoTrust certificates issued prior to December 2017 will have to be replaced by October 2018 to continue to be trusted in the Chrome browser.

 

Can I convert my GeoTrust certificate to a Symantec SSL certificate?

Contact your account team to transition to the new certificate authority.

 

Is my DV SAN certificate from Let’s Encrypt impacted by this change?

Let’s Encrypt certificates are not impacted by these changes.

 

I still have an Akamai-managed EV certificate from Comodo. Is it impacted by this change?

Akamai-managed Comodo EV certificates are not impacted by these changes. As previously announced, existing Comodo certificates will be replaced with a Symantec certificate prior to current certificate expiration. If this scheduled renewal occurs prior to December 1, 2017, the resulting Symantec certificate will need to be renewed prior to October 2018.

 

Is my third-party certificate impacted by this change?

Customers who have third-party certificates on the Akamai Secure CDN from GeoTrust, RapidSSL, Symantec, and Thawte may be affected. Customers can replace these third-party certificates after December 1, 2017 by generating and downloading a CSR from our Certificate Provisioning System (CPS), and sending that CSR to Symantec to obtain a new certificate.

 

Is the trust chain of the Akamai shared certificate changing?

The trust chain of the “a248” shared certificates used for the a248.e.akamai.net, *.akamaihd.net, *.akamaihd-staging.net, *.akamaized.net, and *.akamaized-staging.net hostnames will change in line with the directions from Google and Symantec. We will post the new certificates on our Community page SSL/TLS certificate chains for the Akamai shared certificate when they are available.

 

My origin server has a certificate issued by Symantec. When will Akamai distrust this certificate?

Akamai will continue to trust Symantec certificates for connections from the Akamai Secure CDN to origin servers until those certificates expire.

 

 

If you any additional questions about this transition, please reach out to your Account Team or Akamai Technical Support.

Outcomes