Symantec will be updating its Web PKI hierarchy to modernize and streamline their Public SSL/TLS certificate offerings, and align with changes requested by the browser community. Symantec expects to issue all new Public SSL/TLS certificates from new intermediate CAs by December 1, 2017.
These changes will apply to all Domain Validation (DV), Organization Validation (OV) and Extended Validation (EV) SSL/TLS certificates across all Symantec brands (GeoTrust, RapidSSL, Symantec, and Thawte brands). In order to provide the highest root compatibility for certificates issued from the new Web PKI hierarchy, the changes will require the installation of both a new intermediate CA certificate and a new cross-signed intermediate CA certificate onto servers.
Breaking it Down:
Instead of 1 intermediate you get the luxury of installing two.
“Think of these intermediates as wingmen for the SSL Certificate to help break up with the old root, and enter in a new root coming up in the near future. Eventually everyone will forget about the old root, and both wingmen wont be needed.” ~SSLSupportDesk
Root migrations are a common thing Among the CA’s and this Intermediate and Cross Intermediate structure helps the migration for trust compatibilities among browsers, and applications.
You can already get a preview of what these New Intermediate > Cross Intermediate > Root look like by the below links.
SSLSupportDesk is currently in the works of simplifying all these new trust intermediate certificates and will be making a change to our Root and Intermediate articles slightly before Dec. 1st 2017 when this is suppose to take effect.
More information can be found here: