Posted by Chrome Security Team Devon O'Brien, Ryan
Sleevi , GeoTrust and RapidSSL). This post outlines how website operators can determine if they are affected by this deprecation, and if so, what needs to be done and when. Failure to replace these certificates in a timely manner will cause websites to break in upcoming new versions of major browsers, including Chrome.
Chrome 66
If your site was using an SSL/TLS certificate issued by Symantec before June 1, 2016, it stopped working in Chrome 66 and may have affected your users by now.
If you're not sure if your site uses this type of certificate, you can preview it in Chrome Canary to see if these changes have an impact on your site. If connecting to your website shows a certificate error or displays a warning in DevTools as shown below, then you need to replace your certificate. You can get new certificates from any trusted CA, including Digicert, which recently acquired Symantec's CA business.
If you need to replace your certificate before Chrome66, you will see a DevTools message like this
Chrome 66 has been released to the Canary and DEV channels, which means that the affected sites have affected users of these Chrome versions. Users of the Chrome 66 Beta version will start experiencing such issues if the affected sites do not replace their certificates by March 15, 2018. If your website is currently showing errors in the canary version, it is strongly recommended that you replace your certificate as soon as possible.
Chrome 70
Starting with the Chrome 70 release, all remaining Symantec SSL/TLS certificates will stop working, eventually resulting in certificate errors as shown above. To check if your certificate is affected, go to your website in Chrome now and open DevTools. You will see a message in the console telling you if the certificate needs to be replaced.
DevTools message you will see if you need to replace your certificate before Chrome 70
If you see this message in DevTools, you need to replace your certificate soon. If the certificate is not replaced in time, users will start seeing certificate errors on your website on July 20, 2018. The first Chrome 70 Beta release will be around September 13, 2018.
Chrome Estimated Release Schedule
The table below shows when the first canary, first beta, and stable releases of Chrome 66 and Chrome 70 will be released. The initial impact starts with the first canary release, and the number of users grows steadily as the release is released in beta and eventually stable. Site operators are strongly advised to make the necessary changes to their sites before the first canary releases of Chrome 66 and Chrome 70, and no later than the corresponding beta release dates.
For the release schedule for specific versions of Chrome, you can also refer to the Chromium developer calendar, which will be updated if the release time changes. To address the needs of some enterprise users, Chrome allows enterprises to temporarily trust the legacy Symantec PKI, although starting January 1, 2019, this policy will also expire.
Content source: Google Security Blog