We already tell you, if your TLS certificate is configured in an unsafe way, soon expiring or already expired. But there is more to it than that. Last year Google distrusted certificates of Symantec and its subsidiaries. This lead to a warning in Chrome browsers (and other major browser vendors) that should prevent website visitors visiting the intended website.


This only applies to certificates issued by a Symantec CA prior to June 1, 2016.

Chrome browser warning example when using a legacy certificate

There are a lot posts out there which already explain very good why these certificates are a problem:

Monitoring Alerts

In our Website Security Monitor as well as in Discovery you will get notified about the new issue "legacy certificate". And it will look like this:

Alert in Nimbusec Website Security Monitor
Message in Nimbusec Discovery
Discovery filter for use of legacy certificates on Risk Analysis page

Solution

Symantec sold its certificate business to its competitor DigiCert. DigiCert is meant to have a better infrastructure and is able to sign new certificates from 1.12.2017.

The only solution is to replace the existing certificate with a new one from any Certificate Authority trusted by Google Chrome (and the others).