Certificate AuthoritiesImplementation of new Web PKI Hierarchy

Symantec will be updating its Web PKI hierarchy to modernize and streamline their Public SSL/TLS certificate offerings, and align with changes requested by the browser community. Symantec expects to issue all new Public SSL/TLS certificates from new intermediate CAs by December 1, 2017

These changes will apply to all Domain Validation (DV), Organization Validation (OV) and Extended Validation (EV) SSL/TLS certificates across all Symantec brands (GeoTrust, RapidSSL, Symantec, and Thawte brands). In order to provide the highest root compatibility for certificates issued from the new Web PKI hierarchy, the changes will require the installation of both a new intermediate CA certificate and a new cross-signed intermediate CA certificate onto servers.

Breaking it Down:

Instead of 1 intermediate you get the luxury of installing two.

“Think of these intermediates as wingmen for the SSL Certificate to help break up with the old root, and enter in a new root coming up in the near future. Eventually everyone will forget about the old root, and both wingmen wont be needed.” ~SSLSupportDesk

Root migrations are a common thing Among the CA’s and this Intermediate and Cross Intermediate structure helps the migration  for trust compatibilities among browsers, and applications.

You can already get a preview of what these New Intermediate > Cross Intermediate > Root look like by the below links.

4-Chain Intermediate Structure for migration to new root.


SSLSupportDesk is currently in the works of simplifying all these new trust intermediate certificates and will be making a change to our Root and Intermediate articles slightly before  Dec. 1st 2017 when this is suppose to take effect.

More information can be found here:


LoadingAdd to favorites

About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.