AnsweredAssumed Answered

Symantec distrust warning shown for new DigiCert certificate

Question asked by Richard Birkett on May 10, 2018
Latest reply on Nov 19, 2018 by Keith Shaw

We've recently replaced some of our old Symantec certificates with new ones from DigiCert, and they're signed by the chain "DigiCert Global CA G2" -> "DigiCert Global Root G2".  So far, so good.


To aid transition for clients with out of date trust lists, DigiCert has made available a version of "DigiCert Global Root G2" signed by the venerable "VeriSign Class 3 Public Primary Certification Authority - G5" root.  So our server is actually presenting three certificates (the server cert, the "DigiCert Global CA G2" intermediate, and the cross-signed "DigiCert Global Root G2"), giving browsers a choice of certification path.


The problem is that SSL Labs (both main and dev versions) is reporting that "This server's certificate will be distrusted by Google and Mozilla from September 2018".  But as I understand the distrust plans, that isn't right.  Although one of the possible paths does indeed lead to a root that will be distrusted, there is also a (shorter) path which leads to a root which will still be trusted.


Does the SSL Labs logic (or perhaps just the wording of the warning) need a tweak?  Or is there actually a requirement (which DigiCert haven't told us!) to stop presenting the cross-signed root prior to September?