In October, Chrome and Firefox users will be blocked from websites still using insecure Symantec/DigiCert TLS certificates. If you don't want to tick off your users, you need to replace these security certificates as soon as possible. Here's how to lock down your site properly.
I was trying to transfer money from PayPal this week when Chrome blocked me from the site. "Now what?" I thought. Then, I remembered I was running Chrome 70, the canary version of the web browser. And, that Chrome, along with Firefox, was set to distrust Symantec TLS certificates with their mainline October releases.
Now, everyone with a clue about website security has known this for almost a year. But, some companies still haven't figured it out.
Enough already! Update your certificates! Now!
Not sure? If your SSL/TLS certificate was issued by Symantec, Thawte, GeoTrust, or RapidSSL, your site might be both insecure and subject to being blocked from Chrome and Firefox users.
To find out for sure if your certificate is one of the ones that's about to get zapped, check your site on Symantec's SSL checker. This only works with Symantec, Thawte, GeoTrust, or RapidSSL certificates. It doesn't reveal problems with other TLS certificate providers.
If you've got a bad one and still want to use Symantec/DigiCert certificates, DigiCert will replace your insecure certificates for free. Just use your current Symantec or DigiCert account to order a replacement SSL/TLS certificate. You can also replace it with a certificate from another Certificate Authority (CA), such as Comodo CA, Entrust, or Network Solutions.
But it's not as easy as all that. To meet the Google Chrome SSL/TLS certificate replacement requirements, DigiCert must revalidate/re-authenticate all of your domains for Domain Validation (DV), Organization Validation (OV), or Extended Validation (EV) SSL Certificates.
For DV, that's pretty simple. In the DV Domain Control Validation (DCV) process, DigiCert sends an authorization email to your domain's registered WHOIS owners. DigiCert can also send the authorization email to five listed domain email addresses: admin, administrator, webmaster, hostmaster, or postmaster. DigiCert will not send the authorization email to the certificate requestor or account administrator.
You can also replace a DV TLS certificate using the free Let's Encrypt service. For business OV and EV certificates, it's a lot more work.
To revalidate/re-authenticate your organization/company with DigiCert, you need to have someone ready to answer DigiCert when it calls a verified phone number. This call usually takes place within 24 hours after the request.
Additionally, your group's legally-registered name must be validated/authenticated for your OV or EV certificate. So, for example, if I tried to validate a TLS certificate for my business, Vaughan-Nichols & Associates, using VNA, it's an acronym, I'm going to get bounced.
Finally, your company or organization must have its legal name, address, and phone listed on the web with a trustworthy third-party. For example, you can do this by listing your organization with a business directory, such as Google My Business or Dun & Bradstreet.
If you elect to go with another CA for your OV or EV certificate, you'll need to jump through the same hoops. Then, all that done, you'll need to install the certificates. The method for this varies from CA to CA.
Sound like a lot of work? Well, yes it is. On the other hand, come October do you want most of your site's visitors to be locked out? I Don't Think So.
Get on with it, before you put your business into the dumpster.