Migrate from Symantec certificates

Applies to managed Chrome browsers and ChromeOS devices.

Symantec certificates issued before December 2017 are being phased out of support starting with Chrome version 66 (applies to Chrome browser and ChromeOS). In Chrome version 70 and later, Chrome browser and ChromeOS will stop supporting Symantec certificates. All certificates issued under Symantec brands such as GeoTrust, Equifax, Thawte, RapidSSL, and VeriSign, and those from Symantec resellers are impacted by this change.

Visitors to websites that use a Symantec certificate no longer trusted may see an error message. Also, sites that use resources (such as Javascript or CSS stylesheets) served by a host that uses a Symantec certificate, may no longer work correctly.

Which certificates are blocked depends on the Chrome version and the date the certificates were created.

Chrome version Default behavior (block)
Chrome 66 to Chrome 69 Distrust Symantec-issued certificates issued after 2017/12/01 and before 2016/06/01, but allow all certificates issued between these dates.
Chrome 70 to Chrome 73 Distrust all Symantec-issued certificates.

Plan your migration

Assess your deployment to determine the best solution for your enterprise. Click below for steps, depending on how and where you use certificates.

My enterprise uses Symantec certificates
Work with your website administrator to identify where you use Symantec certificates in your domains, and replace these as soon as possible. You can use a certificate from any Certificate Authority trusted by Chrome. This includes DigiCert which has purchased Symantec's business.
Our legacy devices only trust Symantec certificates

Some legacy devices, such as point-of-sale terminals, phone systems, or other forms of integrated hardware, are only capable of trusting Symantec certificates. If this applies to you, contact the device suppliers and ask them to support other Certificate Authorities.

If your devices can’t be updated immediately, and they use the same web servers as your Chrome users, you can enable temporary support for Symantec certificates until you replace or upgrade your devices. If this applies to you, contact the DigiCert representative assigned to your Symantec account to develop a plan to transition to a new Certificate Authority.

Our partners use Symantec certificates

If your enterprise depends on a partner site that uses Symantec certificates, contact the website administrator to find out their schedule for replacing the certificates. These sites should transition their certificates immediately, to avoid any disruption to your enterprise

If your partner can’t update their site immediately, consider enabling temporary support for Symantec certificates, until the site is updated.

Enable temporary support for Symantec certificates

To give you more time to transition from Symantec certificates, you can set a user policy to temporarily support legacy Symantec certificates. This policy will work until Chrome version 73. After version 73, this policy will stop working and all Symantec certificates will be blocked on Chrome browser and ChromeOS.

Before you begin
  • ChromeOS will support this policy until version 73. However, other OS’s such as Windows, Linux, or macOS could remove support for Symantec certificates before Chrome 73 is released. If your users are running the Chrome browser on an OS that no longer supports Symantec certificates, enabling this policy will have no effect and the certificates will not be trusted.
  • Enabling this policy is only a temporary solution to give you more time to transition to a permanent solution. Plan your migrations so that your users can access critical webpages during this transition.
  • Before rolling out this policy across your organization, test to make sure that your users can still access the sites they need to with this policy enabled.
  • This policy lets websites continue to use legacy certificates, and users visiting these sites won’t see any alerts or messages. Enabling this policy could make it difficult for you to discover which servers and sites are using legacy certificates. During the transition period, you should regularly test sites with this policy disabled to determine which sites or services need to be updated.
Admin console

Applies when users use a Chrome browser on a ChromeOS device.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenSettings. The User & browser settings page opens by default.

    If you signed up for Chrome Enterprise Core, go to Menu and then Chrome browserand thenSettings.

  3. (Optional) To apply the settings to an organization or group:
    1. On the left, select the organization or group.
    2. Make sure Managed Chrome Browser is turned on for this organization or group.
      Group settings override organizational units. Learn more .
  4. Go to the Security.
  5. Click Local trust anchor certificates.
  6. From Symantec Corporation’s legacy PKI infrastructure, select one of the following:
    1. Allow - allows legacy certificates issued by Symantec to be trusted.
    2. Block - blocks legacy certificates issued by Symantec. This setting enforces the ChromeOS default behavior. Which certificates are blocked depends on the ChromeOS version and the date the certificates were created. See this table for more information.
  7. Click Save. Or, you might click Override for an organizational unit .

    To later restore the inherited value, click Inherit (or Unset for a group).


    Settings typically take effect in minutes, but can take up to an hour to apply for everyone.
Windows

Applies when users use Chrome browser on Windows.

Using Group policies

Before you begin: Set up Chrome policies (Windows)

On your Windows computer
  1. Open your Group Policy Management Console.
  2. Go to User Configurationand thenPoliciesand thenAdministrative Templatesand thenGoogleand thenGoogle Chrome.
  3. Click Enable trust in Symantec Corporation’s Legacy PKI Infrastructure.
  4. Select Enabled.
  5. Click OK
macOS

Applies when users use Chrome browser on macOS.

Before you begin: Set up Chrome policies (macOS)

In your Chrome configuration profile, add or update the following key. Then deploy the change to your users.

  • Set the EnableSymantecLegacyInfrastructure key to true:
    <key>EnableSymantecLegacyInfrastructure</key>
         <true/>

Linux

Applies when users use Chrome Browser on Linux.

Using your preferred JSON file editor:

  1. Go to your /etc/opt/chrome/policies/managed folder.
  2. Create a new JSON file. Or open an existing JSON file.
  3. Update the file with the following code:
    {
    "EnableSymantecLegacyInfrastructure": "true"
    }
  4. Deploy the update to your users.

Related Links

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
true
Search
Clear search
Close search
Google apps
Main menu
13662027320051526965
true
Search Help Center
true
true
true
true
true
410864
false
false
  翻译: