Symantec certificate migration: what did it change for PKI teams?

TL;DR: The December 1 integration deadline for validating and issuing TLS certificates for Symantec customers was met, while browsers gave existing pre-June 1, 2016 certificates until spring 2018 before distrust, according to DigiCert. The core lesson is that certificate lifecycle management is an operational identity problem, not just a PKI handoff.

NHIMG editorial — based on content published by DigiCert: DigiCert Now Validating & Issuing SSL/TLS Certificates for Symantec Customers

By the numbers:

• The browsers have given Symantec customers until the spring of 2018 to replace existing certificates issued prior to June 1, 2016, before they become distrusted.
• Certificate expiry is the leading cause of outages for 45% of organisations.

Questions worth separating out

Q: How should security teams handle certificate transitions without breaking dependent services?

A: Teams should inventory every certificate, identify each consuming service, and stage replacement by dependency criticality rather than by convenience.

Q: Why do certificate migrations create governance risk for machine identities?

A: Because certificates are operational credentials, and migrations often create overlapping trust states where old and new certificates coexist.

Q: What breaks when certificate replacement is managed manually?

A: Manual replacement usually breaks at scale, because renewals get missed, exceptions become undocumented, and ownership is unclear.

Practitioner guidance

• Map every certificate trust dependency Build an inventory of all Symantec-issued and successor certificates, including owning team, renewal date, consuming application, and whether the trust chain has any external browser constraints.
• Separate issuance from replacement planning Track new issuance, legacy replacement, and eventual distrust as three distinct workstreams so change control does not hide expiring credentials behind a successful migration banner.
• Assign lifecycle owners before the trust window closes Name a business and technical owner for each certificate family so no certificate relies on informal knowledge when browsers or platforms enforce distrust.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• The mechanics of how Symantec front-end ordering continued while DigiCert handled backend validation and issuance.
• The transition timing for existing Symantec-issued certificates versus new certificate orders.
• The support path for customers dealing with validation delays and migration exceptions.
• The specific browser distrust timeline affecting pre-June 1, 2016 certificates.

👉 Read DigiCert's update on Symantec certificate validation and issuance →

Symantec certificate migration: what did it change for PKI teams?

Explore further

View Full Forum →  |  NHI Foundation Course →