Skip to main content
Microsoft Security

Microsoft partners with DigiCert to begin deprecating Symantec TLS certificates

Starting in September 2018, Microsoft began deprecating the SSL/TLS capability of Symantec root certificates due to compliance issues. Google, Mozilla, and Apple have also announced deprecation plans related to Symantec SSL/TLS certificates. Symantec cryptographic certificates are used in critical environments across multiple industries. In 2017, DigiCert acquired Symantec’s web security business that included their certificate authority business.

Since the compliance issues were identified, Microsoft has been engaged with Symantec and DigiCert to uphold industry-wide compliance expectations and maintain customer trust. DigiCert created the deprecation schedule below in partnership with Microsoft to maintain trust in the industry while minimizing impact to our mutual customers.

During certificate renewal, customers must now replace their current certificate with one signed by a non-Symantec root. Based on the schedule below, Microsoft Edge and Internet Explorer running on Windows 10/Windows Server 2016 will no longer trust certificates signed by the associated root certificate if issued after the TLS NotBefore Date. Any certificates issued prior to this date will continue to be trusted until the certificate’s natural expiration. Internet Explorer running on legacy Windows versions will not be impacted.

Customers with questions about their certificates or this deprecation schedule are encouraged to contact DigiCert by visiting SSL Certificate Support.

Name Thumbprint Planned TLS NotBefore Date
Symantec Class 3 Public Primary Certification Authority-G6 26A16C235A2472229B23628025BC8097C88524A1 9/30/2018
thawte Primary Root CA-G2 AADBBC22238FC401A127BB38DDF41DDB089EF012 9/30/2018
GeoTrust Universal CA E621F3354379059A4B68309D8A2F74221587EC79 9/30/2018
Symantec Class 3 Public Primary Certification Authority-G4 58D52DB93301A4FD291A8C9645A08FEE7F529282 1/31/2019
VeriSign Class 3 Public Primary Certification Authority-G4 22D5D8DF8F0231D18DF79DB7CF8A2D64C93F6C3A 1/31/2019
GeoTrust Primary Certification Authority-G2 8D1784D537F3037DEC70FE578B519A99E610D7B0 1/1/2020
VeriSign Universal Root Certification Authority 3679CA35668772304D30A5FB873B0FA77BB70D54 4/30/2019
thawte Primary Root CA-G3 F18B538D1BE903B6A6F056435B171589CAF36BF2 4/30/2019
GeoTrust Primary Certification Authority-G3 039EEDB80BE7A03C6953893B20D2D9323A4C2AFD 4/30/2019
GeoTrust 323C118E1BF7B8B65254E2E2100DD6029037F096 4/30/2019
thawte 91C6D6EE3E8AC86384E548C299295C756C817B81 4/30/2019
VeriSign 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 4/30/2019
GeoTrust Global CA DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212 1/1/2020
VeriSign 132D0D45534B6997CDB2D5C339E25576609B5CC6 4/30/2019