The JDK will stop trusting TLS Server certificates by Symantec, in line with similar plans recently announced by Google, Mozilla, Apple, and Microsoft. The list of affected certificates includes certificates branded as GeoTrust, Thawte, and VeriSign, which were managed by Symantec. Any TLS Server certificate issued after April 16, 2019 will be restricted. This change has already been implemented and is in JDK 12 (see JDK-8207258).
Apple has requested more time to transition their users off of the legacy Symantec Root CAs that will be distrusted for TLS Server certificates. They are working with DigiCert on a transition plan and have requested a later distrust date: December 31, 2019. This later distrust date would only apply to TLS Server certificates issued from two Apple subordinate CAs: "Apple IST CA 2 - G1" and "Apple IST CA 8 - G1". Any certificate issued after that date will be distrusted. Other vendors such as Mozilla have granted similar exemptions to these Apple subCAs.