SSL certificate migration from the SHA-1 to SHA-2 algorithm

Should you take any actions?

Here is a basic logic to follow in relation to the SHA-1/SHA-2 situation:

1. If you have an active SSL Certificate - read on, if not - you’re probably not affected and can disregard the SHA-2 hassle.
2. If you have an active certificate - visit this page and check the signature algorithm of your installed certificate.
3. If the signature algorithm is SHA-1 - reissue your certificate (for how to - see this article)
4. If it is SHA-2 - no additional actions are needed from you.

SHA-2 Intermediate Certificates and Bundles

SHA-2 certificates require proper SHA-2 intermediate certificates. You can find a full list of CA bundles signed with SHA-2 algorithm here. Make sure to use these during SSL certificate installation to avoid browser errors in future.

Please note that Comodo (now Sectigo) is using both SHA-1 and SHA-2 Root certificates. There is no final ETA on when these roots will be fully migrated to SHA-2. However, at this point mentioned SHA-1 root certificates possess no security problems, as TLS clients trust them by their identity, rather than by the signature of their hash. At the same time, you can obtain the SHA-2 root for your certificate as well.

General Background (Why do this)

A signature algorithm is an essential part of SSL security and is one of the basic things that makes SSL certificates secure for different browsers, applications and software.

Some time ago the SHA-1 algorithm is the most popular and widely used algorithm. This algorithm replaced MD5 completely back in 2004, when MD5 was considered compromised and absolutely non-secure. Now, the same thing is being done for SHA-1; it's being replaced with the more secure SHA-2 algorithm.

Though SHA-1 is still considered to be secure to use for now, the Internet community and some major web companies such as Microsoft and Google already think the world should move to the better security provided by the SHA-2 algorithm in SSL certificates, to avoid any content spoofs or man-in-the-middle attacks. To ensure the transition will be as smooth as possible, we've decided to start right away.

Microsoft announced the necessity to consider moving to the SHA-2 algorithm back in November 2013. The process of algorithm transition was not very active until early September 2014, when Google informed the public that they were beginning to sunset SHA-1 for their products, starting with Google Chrome 39.

At this time, the biggest concern is for the certificate owners whose certificates expire after December 31, 2015. Starting January 1, 2016, certificates with SHA-1 are no longer issued and are eliminated from usage - they are considered non-secure in browsers and will return an error to the end user. The same goes for certificates that are signed with SHA-2 algorithm but have an SHA-1 intermediate certificate in the chain.

Starting November 6, 2014, Namecheap provides SHA-2 signed certificates by default.

42264 times

Need help? We're always here for you.