Starting in September 2018, Microsoft began deprecating the SSL/TLS capability of Symantec root certificates due to compliance issues. Google, Mozilla, and Apple have also announced deprecation plans related to Symantec SSL/TLS certificates. Symantec cryptographic certificates are used in critical environments across multiple industries. In 2017, DigiCert acquired Symantec’s web security business that included their certificate authority business.
Since the compliance issues were identified, Microsoft has been engaged with Symantec and DigiCert to uphold industry-wide compliance expectations and maintain customer trust. DigiCert created the deprecation schedule below in partnership with Microsoft to maintain trust in the industry while minimizing impact to our mutual customers.
During certificate renewal, customers must now replace their current certificate with one signed by a non-Symantec root. Based on the schedule below, Microsoft Edge and Internet Explorer running on Windows 10/Windows Server 2016 will no longer trust certificates signed by the associated root certificate if issued after the TLS NotBefore Date. Any certificates issued prior to this date will continue to be trusted until the certificate’s natural expiration. Internet Explorer running on legacy Windows versions will not be impacted.
Customers with questions about their certificates or this deprecation schedule are encouraged to contact DigiCert by visiting SSL Certificate Support.
|Name||Thumbprint||Planned TLS NotBefore Date|
|Symantec Class 3 Public Primary Certification Authority-G6||26A16C235A2472229B23628025BC8097C88524A1||9/30/2018|
|thawte Primary Root CA-G2||AADBBC22238FC401A127BB38DDF41DDB089EF012||9/30/2018|
|GeoTrust Universal CA||E621F3354379059A4B68309D8A2F74221587EC79||9/30/2018|
|Symantec Class 3 Public Primary Certification Authority-G4||58D52DB93301A4FD291A8C9645A08FEE7F529282||1/31/2019|
|VeriSign Class 3 Public Primary Certification Authority-G4||22D5D8DF8F0231D18DF79DB7CF8A2D64C93F6C3A||1/31/2019|
|GeoTrust Primary Certification Authority-G2||8D1784D537F3037DEC70FE578B519A99E610D7B0||1/1/2020|
|VeriSign Universal Root Certification Authority||3679CA35668772304D30A5FB873B0FA77BB70D54||4/30/2019|
|thawte Primary Root CA-G3||F18B538D1BE903B6A6F056435B171589CAF36BF2||4/30/2019|
|GeoTrust Primary Certification Authority-G3||039EEDB80BE7A03C6953893B20D2D9323A4C2AFD||4/30/2019|
|GeoTrust Global CA||DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212||1/1/2020|
Editor’s note 2/7/2019:
Post was edited to reflect updated Planned TLS NotBefore Dates for GeoTrust Global CA and GeoTrust Primary Certification Authority-G2.