Google has detailed its plan to deprecate Symantec-issued certificates in Chrome.
The decision to end-of-life its trust for Symantec certificates was the outcome of a long tussle over dodgy certificates, which came to a head when certs for example.com and various permutations of test.com escaped into the wild.
The absolute end-of-trust date is still some way off, in March 2018, but in this post, Google fills in many of the steps between now and then.
By the death-note date, all Symantec-issued TLS certificates older than June 1, 2016 must be replaced.
Chrome will distrust those certificates as of version 66 - due around March or April 2018, but Google's going to start adding warnings from Chrome 62 which should land in October 2017.
As we reported in August, Symantec is handing its infrastructure over to DigiCert, and that's due to be operational by December 2017.
To comply with Google's July ultimatum, DigiCert will run both the PKI infrastructure and the Managed Partner Infrastructure to oversee certificate sales.
Google says from that point, any certificates issued by Symantec's old infrastructure will be listed for distrust in “a future Chrome update.”
Chrome 70 is another important milestone as it will kill off “any certificate chaining to Symantec roots, except for the small number issued by the independently operated and audited subordinate CAs previously disclosed to Google.”
That will impact site owners who need to get certificates from Symantec's old infrastructure between now and December 2017, Google explains, because they'll need to go through another round of certificate replacement before Chrome 70. ®