Applies to managed Chrome browsers and ChromeOS devices.
Symantec certificates issued before December 2017 are being phased out of support starting with Chrome version 66 (applies to Chrome browser and ChromeOS). In Chrome version 70 and later, Chrome browser and ChromeOS will stop supporting Symantec certificates. All certificates issued under Symantec brands such as GeoTrust, Equifax, Thawte, RapidSSL, and VeriSign, and those from Symantec resellers are impacted by this change.
Visitors to websites that use a Symantec certificate no longer trusted may see an error message. Also, sites that use resources (such as Javascript or CSS stylesheets) served by a host that uses a Symantec certificate, may no longer work correctly.
Which certificates are blocked depends on the Chrome version and the date the certificates were created.
Chrome version | Default behavior (block) |
---|---|
Chrome 66 to Chrome 69 | Distrust Symantec-issued certificates issued after 2017/12/01 and before 2016/06/01, but allow all certificates issued between these dates. |
Chrome 70 to Chrome 73 | Distrust all Symantec-issued certificates. |
Plan your migration
Assess your deployment to determine the best solution for your enterprise. Click below for steps, depending on how and where you use certificates.
My enterprise uses Symantec certificatesSome legacy devices, such as point-of-sale terminals, phone systems, or other forms of integrated hardware, are only capable of trusting Symantec certificates. If this applies to you, contact the device suppliers and ask them to support other Certificate Authorities.
If your devices can’t be updated immediately, and they use the same web servers as your Chrome users, you can enable temporary support for Symantec certificates until you replace or upgrade your devices. If this applies to you, contact the DigiCert representative assigned to your Symantec account to develop a plan to transition to a new Certificate Authority.
If your enterprise depends on a partner site that uses Symantec certificates, contact the website administrator to find out their schedule for replacing the certificates. These sites should transition their certificates immediately, to avoid any disruption to your enterprise
If your partner can’t update their site immediately, consider enabling temporary support for Symantec certificates, until the site is updated.
Enable temporary support for Symantec certificates
To give you more time to transition from Symantec certificates, you can set a user policy to temporarily support legacy Symantec certificates. This policy will work until Chrome version 73. After version 73, this policy will stop working and all Symantec certificates will be blocked on Chrome browser and ChromeOS.
Before you begin- ChromeOS will support this policy until version 73. However, other OS’s such as Windows, Linux, or macOS could remove support for Symantec certificates before Chrome 73 is released. If your users are running the Chrome browser on an OS that no longer supports Symantec certificates, enabling this policy will have no effect and the certificates will not be trusted.
- Enabling this policy is only a temporary solution to give you more time to transition to a permanent solution. Plan your migrations so that your users can access critical webpages during this transition.
- Before rolling out this policy across your organization, test to make sure that your users can still access the sites they need to with this policy enabled.
- This policy lets websites continue to use legacy certificates, and users visiting these sites won’t see any alerts or messages. Enabling this policy could make it difficult for you to discover which servers and sites are using legacy certificates. During the transition period, you should regularly test sites with this policy disabled to determine which sites or services need to be updated.
Applies when users use a Chrome browser on a ChromeOS device.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeSettings. The User & browser settings page opens by default.
If you signed up for Chrome Enterprise Core, go to Menu Chrome browserSettings.
- (Optional) To apply the settings to an organization or group:
- On the left, select the organization or group.
- Make sure Managed Chrome Browser is turned on for this organization or group.
Group settings override organizational units. Learn more .
- Go to the Security.
- Click Local trust anchor certificates.
- From Symantec Corporation’s legacy PKI infrastructure, select one of the following:
- Allow - allows legacy certificates issued by Symantec to be trusted.
- Block - blocks legacy certificates issued by Symantec. This setting enforces the ChromeOS default behavior. Which certificates are blocked depends on the ChromeOS version and the date the certificates were created. See this table for more information.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit (or Unset for a group).
Settings typically take effect in minutes, but can take up to an hour to apply for everyone.
Applies when users use Chrome browser on Windows.
Using Group policies
Before you begin: Set up Chrome policies (Windows)
On your Windows computer- Open your Group Policy Management Console.
- Go to User ConfigurationPoliciesAdministrative TemplatesGoogleGoogle Chrome.
- Click Enable trust in Symantec Corporation’s Legacy PKI Infrastructure.
- Select Enabled.
- Click OK
Applies when users use Chrome browser on macOS.
Before you begin: Set up Chrome policies (macOS)
In your Chrome configuration profile, add or update the following key. Then deploy the change to your users.
-
Set the EnableSymantecLegacyInfrastructure key to true:
<key>EnableSymantecLegacyInfrastructure</key>
<true/>
Applies when users use Chrome Browser on Linux.
Using your preferred JSON file editor:
- Go to your /etc/opt/chrome/policies/managed folder.
- Create a new JSON file. Or open an existing JSON file.
- Update the file with the following code:
{
"EnableSymantecLegacyInfrastructure": "true"
} - Deploy the update to your users.
Related Links
- For more information on why Google is ending support for certain Symantec certificates, see Chrome’s Plan to Distrust Symantec Certificates.
- For a detailed description of the policy, see EnableSymantecLegacyInfrastructure.
- For more information on Chrome policy templates, see Set Chrome policies for devices.
Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.