Now, everyone with a clue about website security has known this for almost a year. But, some companies still haven’t figured it out.
Enough already! Update your certificates! Now!
Not sure? If your SSL/TLS certificate was issued by SymantecThawte, GeoTrustRapidSSL, your site might be both insecure and subject to being blocked from Chrome and Firefox users.
To find out for sure if your certificate is one of the ones that’s about to get zapped, check your site on Symantec’s SSL checker. This only works with Symantec, Thawte, GeoTrust, or RapidSSL certificates. It doesn’t reveal problems with other TLS certificate providers.
If you’ve got a bad one and still want to use Symantec/DigiCert certificates, DigiCert will replace your insecure certificates for free. Just use your current Symantec or DigiCert account to order a replacement SSL/TLS certificate. You can also replace it with a certificate from another Certificate Authority (CA), such as Comodo CA, Entrust, or Network Solutions.
But it’s not as easy as all that. To meet the Google Chrome SSL/TLS certificate replacement requirements, DigiCert must revalidate/re-authenticate all of your domains for Domain Validation (DV), Organization Validation (OV), or Extended Validation (EV) SSL Certificates.
For DV, that’s pretty simple. In the DV Domain Control Validation (DCV) process, DigiCert sends an authorization email to your domain’s registered WHOIS owners. DigiCert can also send the authorization email to five listed domain email addresses: admin, administrator, webmaster, hostmaster, or postmaster. DigiCert will not send the authorization email to the certificate requestor or account administrator.
You can also replace a DV TLS certificate using the free Let’s Encrypt service
To revalidate/re-authenticate your organization/company with DigiCert, you need to have someone ready to answer DigiCert when it calls a verified phone number. This call usually takes place within 24 hours after the request.
Additionally, your group’s legally-registered name must be validated/authenticated for your OV or EV certificate. So, for example, if I tried to validate a TLS certificate for my business, Vaughan-Nichols & Associates, using VNA, it’s an acronym, I’m going to get bounced.
Finally, your company or organization must have its legal name, address, and phone listed on the web with a trustworthy third-party. For example, you can do this by listing your organization with a business directory, such as Google My Business or Dun & Bradstreet.
If you elect to go with another CA for your OV or EV certificate, you’ll need to jump through the same hoops. Then, all that done, you’ll need to install the certificates. The method for this varies from CA to CA.
Sound like a lot of work? Well, yes it is. On the other hand, come October do you want most of your site’s visitors to be locked out? I Don’t Think So.
Get on with it, before you put your business into the dumpster.