0

Results of Our Investigation

Created on Apr 21 2016, 5:00 PM by Roxane Divol

Investigating and remediating the test certificate mis-issuance incident has been a top priority for Symantec, and my team specifically. We have completed our investigation and have confirmed that the certificate mis-issuance was limited to certificates issued for internal Symantec testing purposes. Our investigation uncovered no evidence of malicious intent, nor harm to anyone. No customer or partner action is needed.

As we previously disclosed, Symantec learned in September 2015 that it had generated a number of internal test certificates in a manner not fully consistent with its policies. These included certificates to unregistered domains and domains for which Symantec did not have authorization from the domain owner. We immediately commenced an investigation to identify and revoke mis-issued certificates. We also sought to determine and remediate the root causes of the mis-issuances and to confirm that no harm had resulted from the incident.

Our now completed investigation has confirmed that each of the mis-issued certificates we have identified was issued solely for internal Symantec testing purposes.  Each of these test certificates has been revoked or expired and we have contacted the relevant domain owners.  Further, we have and will continue to work with the browser community to blacklist these test certificates where they deem appropriate.

Since this issue first arose, Symantec has implemented changes to our test certificate policies, processes, and controls designed to prevent this from happening again, and we will continue to further evaluate and strengthen those policies, procedures, and controls. We remain fully committed to the continued trust of our roots across browsers and enhancing the security of the global certificate infrastructure. In support of this commitment, as we announced on February 12, 2016, we have already implemented extensive support for Certificate Transparency.

We have sought to proactively implement the important lessons learned from this experience as we now return our attention to an innovative and exciting year for Website Security.

Additional information, including the list of mis-issued test certificates that we have identified, is available here.

  • Products
  • DigiCert SSL TLS Certificates
  • Products and Solutions
  • Symantec Website Security