Rajiv Aaron Manglani

Impact of the Google/Symantec SubCA transition on Akamai Secure CDN Customers

Blog Post created by Rajiv Aaron Manglani Employee on Dec 12, 2017

This blog post has been updated since it was originally published on August 29, 2017. Changed items are marked with "New" or "Updated". An update history is available at the end of this page.

 

Background on the Google/Symantec SubCA Transition

At the beginning of 2017, the Google Chrome team started investigating Symantec for mis-issuing certain TLS server certificates. Over the last five months, Google and Symantec have been working to restore the industry’s confidence in certificates issued by Symantec, including certificates under the GeoTrust, RapidSSL, and Thawte brands. As always, Akamai is in close contact with Symantec, our certificate partner, providing feedback on the proposals, and representing our customers’ interests.

 

Google and Symantec have now indicated that trust for certificates issued by Symantec from their existing PKI infrastructure will be phased out by the Google Chrome browser in two phases, April 2018 and October 2018. After these dates, Google Chrome (and other browsers that follow suit) will stop showing the “secure padlock” for sites presenting these certificates. They may even show “insecure site” warnings in the address bar or on error pages. All existing Symantec certificates need to be renewed on their new PKI infrastructure (available December 1, 2017) to continue to be trusted in future versions of Google Chrome.

 

Akamai is committed to making this transition smooth for our customers. Most of the affected customer certificates will rotate automatically, before Chrome’s scheduled actions. In these cases, there is no action customers need to take. Some Akamai-managed customer certificates and some third-party (customer-managed) certificates will need to be rotated early. For these certificates, Akamai will shift the scheduled renewal start date to be several months before the Chrome distrust dates. This will give time for those certificates to be rotated before the scheduled distrust dates. In all cases, customers can choose to rotate their certificates early through our Certificate Provisioning System (CPS) in the Luna portal. See below for more details.

 

Affected Certificates

The upcoming changes, affect all certificates issued by Symantec. For Akamai customers, this includes:

  • All Akamai-managed Symantec OV Single, SAN, Wildcard, and Wildcard SAN certificates,
  • All Akamai-managed GeoTrust OV Single, SAN, and Wildcard certificates,
  • All Akamai-managed Symantec EV Single and SAN certificates, and
  • Some customer-managed third-party certificates.

 

Akamai-managed certificates issued by Comodo and Let’s Encrypt are not affected by these changes.

 

Distrust Schedule

Chrome 66 (beta in March 2018, stable April 2018) will no longer trust Symantec-issued certificates with a Not Before date of June 1, 2016 or prior.

  • No currently-valid Akamai-managed Symantec- or GeoTrust-branded OV certificates are affected by this phase out. All current Akamai-managed OV certificates were issued after June 1, 2016.
  • No currently-valid Akamai-managed Symantec-branded EV certificates are affected by this phase out. All current Akamai-managed EV certificates were issued after June 1, 2016.

 

Chrome 70 (beta in September 2018, stable October 2018) will no longer trust any Symantec-issued certificates issued prior to December 1, 2017, or from their old PKI infrastructure.

  • All Akamai-managed Symantec- and GeoTrust-branded OV certificates ordered before December 1, 2017 are affected by this phase out.
  • All Akamai-managed Symantec-branded EV certificates ordered before December 1, 2017 are affected by this phase out.

 

Google and Symantec have indicated that certificates ordered and issued by Symantec and GeoTrust after December 1, 2017 will be trusted in all planned future versions of Chrome.

 

New Trust Chains Updated

Google and Symantec have indicated that all certificates ordered and issued after December 1, 2017 will be issued on a new PKI platform. New certificates will be issued with different trust chains (intermediate and root certificates) from those obtained today. Most customers will not notice this change as certificates issued with the new trust chains will continue to be trusted by existing browsers. OV certificates issued under the GeoTrust and Symantec brands (both RSA and ECDSA) will chain to the “DigiCert Global Root CA”. EV certificates issued by Symantec (both RSA and ECDSA) will chain to the “DigiCert High Assurance EV Root CA”. Both of these root certificates have a high level of ubiquity and inclusion in web browsers’ and operating systems’ trust stores. Most clients that could connect to properties secured with certificates chaining to the old “VeriSign Class 3 Public Primary Certification Authority - G5” root will be able to connect to the same properties once their certificates are rotated onto the new trust chains.

 

Akamai publishes a list of SSL/TLS certificate chains for Akamai-managed certificates. This list has been updated with the new trust chains for Akamai-managed GeoTrust and Symantec certificates ordered and issued after December 1, 2017.

 

With these new trust chains from Symantec, Akamai is no longer able to offer managed certificates chaining up to the “VeriSign Class 3 Public Primary Certification Authority - G5” root (also known as the “G5” root), or the legacy “Class 3 Public Primary Certification Authority” root (also known as a “1k root”). We recommend that customers move away from the 1k root as soon as possible. Most customers have no need for the 1k root as TLS clients have been upgraded to support the Default trust chain. This can be accomplished today in our Certificate Provisioning System (CPS) by selecting the “Default” trust chain for your certificates.

 

What actions do customers need to take?

  • If your certificates were issued prior to June 1, 2016, they will need to be renewed prior to April 2018. We will reach directly to the affected customers and will start early renewal of these certificates in January 2018.
  • All currently-valid Akamai-managed OV certificates issued prior to October 2017 will automatically rotate on their regular schedule 60 days prior to expiration. This means that existing and future certificates, issued prior to October 2017, will all naturally expire prior to being distrusted in October 2018. Existing certificates will continue to be trusted by browsers until they are replaced with the newly issued certificates. No customer actions beyond responding to the validation emails and phone calls from Symantec are required.
  • All other Akamai-managed OV certificates issued between October 2017 and December 2017, as well as all Akamai-managed EV certificates, regardless of issuance date, will need to be renewed prior to October 2018. Starting in January 2018, we will be in touch with the affected customers. We intend to shift the renewal dates earlier for existing certificates so their replacements can be issued prior to the October 2018 distrust date.
  • The scheduled distrust of Symantec-issued certificates applies to all Symantec brands including GeoTrust, RapidSSL, and Thawte. Customers who have third-party certificates on the Akamai Secure CDN from these brands may also be affected by these changes. These third-party certificates can be renewed after December 1, 2017 by generating and downloading a CSR from our Certificate Provisioning System (CPS), and sending that CSR to Symantec to obtain a new certificate.
  • At any time, customers can force early renewal of their certificates (both Akamai-managed and third-party) by going into CPS (Legacy) and performing an “Edit and Submit” action for your certificate. We recommend waiting until after December 1, 2017 when certificates will be issued by Symantec’s new PKI infrastructure. This functionality will be available in an upcoming release of the current version of CPS.

 

FAQ

Is there a cost or contract impact because of this change?

No, your current contracted rates remain intact. No additional Akamai paperwork is required.

 

Why is Akamai continuing to partner with Symantec for certificate issuance?

Symantec, and soon to be DigiCert, is the global leader in SSL/TLS certificate issuance. They continue to be the best fit for the needs of our customer base. As announced in April 2016, Symantec remains our strategic partner for issuance of OV and EV certificates.

 

What if I do not want an OV or EV certificate from Symantec?

Akamai offers fully managed and automated DV SAN certificates from Let’s Encrypt. We also offer a third-party solution that gives customers the ability to get an SSL certificate of any type from their provider of choice.

 

How will the sale of Symantec’s PKI business to DigiCert affect my certificates? Updated

DigiCert’s parent company, Thoma Bravo, acquired the Symantec PKI business in October 2017 (Symantec’s fiscal Q3 2018). Under current plans, this purchase does not impact the transition process outlined above. Even after the sale, customers with Akamai-managed OV and EV certificates will continue to use the same provisioning process as they do today, using CPS in our Luna portal. Google and Symantec have indicated that certificates ordered and issued after December 1, 2017 on the new Symantec infrastructure will continue to be trusted until their expiration date. Newly issued certificates will chain up to an existing DigiCert root.

 

Which browsers besides Google Chrome will also distrust certificates? New

Mozilla has indicated that Firefox will follow a similar schedule to distrust certificates as published by Google for Chrome. Even if your secure property does not target Google Chrome users, we recommend rotating your certificates before the planned distrust dates.

 

The Javascript Console in the Google Chrome Web Inspector is displaying a warning about the certificate on my site. What should I do? New

Most customer certificates will expire and be renewed prior to the scheduled distrust date. The newly issued certificates will not be subject to the Chrome distrust, and will be usable until they expiry date. For these certificates, the browser warning can be safely ignored. For those certificates which expire after September 2018, Akamai will shift the scheduled renewal start date to be several months before the Chrome distrust dates. This will give time for those certificates to be rotated before the scheduled distrust dates.

 

My applications are sensitive to trust chain changes. What should I do?

Ensure that Change Management (“Test on Staging”) is turned on for your certificates in our Certificate Provisioning System (CPS). This feature will allow you to inspect and test new certificates in Staging prior to production deployment. Akamai strongly discourages customers from pinning certificates in their applications.

 

Can you provide the new trust chains before my certificate is rotated?

The new trust chains, including intermediate certificates and roots are available in our Community at SSL/TLS certificate chains for Akamai-managed certificates.

 

My applications require the existing “PCA-G5” root (“C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5”). How can I continue to use this root on my secure properties? New

We recommend that customers move away from the “G5” root and related trust chains. Symantec is no longer issuing certificates chaining to this root through partners, but may continue to do so for their direct customers. Akamai is unable to offer certificates with this root on managed certificates after December 1, 2017. If customers obtain these certificates directly from Symantec, Akamai will support them via the third-party certificate process. Please reach to your account team for details.

 

What if my applications require a 1k root like the one provided by the “C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority” root? Updated

We recommend that customers move away from the 1k root as soon as possible. Symantec no longer officially supports a 1k root option, and therefore Akamai is unable to offer this option on managed certificates after December 1, 2017. If your web property still needs a 1k root certificate, please reach to your account team to discuss how you can continue using a 1k root certificate through our third-party certificate process.

 

What happens if my certificate has the “Cross-signed 1k root” option enabled in CPS? New

The “Cross-signed 1k root” is a legacy option enabling an SSL/TLS certificate with a cross-signed certificate chain up to a 1k root. These certificates support legacy devices or platforms with older trust stores, or trust stores that cannot be updated. The 1k root option is no longer supported by our certificate authority. Certificates with this option enabled will receive the default trust chain on their next certificate modification.

 

How does this change affect OCSP Stapling? New

OCSP Stapling allows Akamai to obtain certificate validity and revocation data from a certificate authority, and then embed that information in the TLS connection between clients and Akamai servers. This feature saves browsers and clients from having to make their own connection to the certificate authority’s OCSP servers, and results in faster connection setup times. Akamai will continue to support OCSP Stapling on managed certificates. There may be a disruption in support for stapling for several weeks after December 1, 2017. All other operations will continue normally, and certificates can still be used to pass secure traffic. We intend to re-enable support for OCSP Stapling for Symantec certificates as soon as possible with no actions or changes needed by customers.

 

Can I obtain a new Symantec certificate prior to December 2017?

Customers can reissue certificates at any time by going into CPS (Legacy) and performing an “edit and submit” action for your certificate. We recommend waiting until after December 1, 2017 when certificates will be issued by Symantec’s new PKI infrastructure.

 

Why is Akamai waiting for most certificates to expire and be replaced, instead of forcing early renewal after December 2017?

While we could initiate early renewals of all our customers’ Symantec certificates, we manage tens of thousands of certificates on our Secure CDN. It is better for everyone, including our customers, if the renewal dates for certificates are spread out throughout the year.

 

My certificate had a renewal or a SAN modification order in process on December 1, 2017. How will this affect my certificate? New

Any order submitted to Symantec prior to the December 1, 2017 cutover to the new PKI hierarchy will be validated and issued by Symantec on the old PKI hierarchy. These certificates will need to be renewed prior to September 2017 in order to continue to be trusted in browsers. Akamai will shift the scheduled auto-renewal start date to be several months before the distrust dates to give time for those certificates to be rotated before the scheduled distrust dates.

 

When my certificate request is submitted to Symantec after December 1, 2017, will I have to go through the OV or EV validation process again? Updated

The exact validation steps at the time of certificate renewal will be determined by Symantec following the industry-standard CA/Browser Forum guidelines. Symantec and Google have indicated that validation data from Symantec’s old PKI infrastructure (for orders placed prior to December 1) cannot be reused.

 

I’m an existing GeoTrust customer. What happens to my GeoTrust certificate? Updated

Customers with GeoTrust certificates, a Symantec brand, issued through Akamai will continue to be renewed on GeoTrust. All GeoTrust certificates issued prior to December 2017 will have to be replaced by October 2018 to continue to be trusted in the Chrome browser. GeoTrust certificates ordered and issued after December 1, 2017 will be issued on a new trust chain and root certificate. Newly issued GeoTrust certificates will be trusted until they expire.

 

My applications require the “GeoTrust Global CA” root certificate. How do I obtain a certificate chaining up to this root? New

Akamai is unable to offer managed certificates chaining to the “GeoTrust Global CA” root certificate after December 1, 2017. Customers who need this root certificate should contact GeoTrust directly, and may upload them through our third-party certificate option. Please reach to your account team for details.

 

Can I convert my GeoTrust certificate to a Symantec SSL certificate?

Contact your account team to transition to the new certificate authority.

 

Is my DV SAN certificate from Let’s Encrypt impacted by this change?

Let’s Encrypt certificates are not impacted by these changes.

 

I still have an Akamai-managed EV certificate from Comodo. Is it impacted by this change?

Akamai-managed Comodo EV certificates are not impacted by these changes. As previously announced, existing Comodo certificates will be replaced with a Symantec certificate prior to current certificate expiration. If this scheduled renewal occurs prior to December 1, 2017, the resulting Symantec certificate will need to be renewed prior to October 2018.

 

Is my third-party certificate impacted by this change?

Customers who have third-party certificates on the Akamai Secure CDN from GeoTrust, RapidSSL, Symantec, and Thawte may be affected. Customers can replace these third-party certificates after December 1, 2017 by generating and downloading a CSR from our Certificate Provisioning System (CPS), and sending that CSR to Symantec to obtain a new certificate.

 

Is the trust chain of the Akamai shared certificate changing?

The trust chain of the “a248” shared certificates used for the a248.e.akamai.net, *.akamaihd.net, *.akamaihd-staging.net, *.akamaized.net, and *.akamaized-staging.net hostnames will change in line with the directions from Google and Symantec. We will post the new certificates on our Community page SSL/TLS certificate chains for the Akamai shared certificate when they are available.

 

My origin server has a certificate issued by Symantec. When will Akamai distrust this certificate?

Akamai will continue to trust Symantec certificates for connections from the Akamai Secure CDN to origin servers until those certificates expire.

 

 

If you any additional questions about this transition, please reach out to your Account Team or Akamai Technical Support.

 

 

 

Update December 12, 2017:

Added information on new trust chains, phase out of the “G5” and “1k” roots, DigiCert’s purchase of Symantec’s PKI business, Mozilla’s plans, and OCSP Stapling.

Outcomes