SSL certificate migration from the SHA-1 to SHA-2 algorithm

A signature algorithm is an essential part of SSL security, ensuring that SSL certificates can secure different browsers, applications, and software. It's responsible for creating a certificate's digital signature, proving its authenticity.

The SHA-1 algorithm was once the most popular and widely used algorithm, gaining widespread use when it replaced MD5 in 2004 when the latter was deemed compromised and entirely insecure.

Later, a similar transition occurred for SHA-1. In November 2013, Microsoft announced the need to transition to the SHA-2 algorithm. Then, in September 2014, Google publicly declared its decision to phase out the use of SHA-1 in its products, commencing with Google Chrome 39.

From January 1, 2016, certificates with SHA-1 stopped being issued and are eliminated from usage. They are considered non-secure in browsers and will return an error to the end user. The same goes for certificates signed with the SHA-2 algorithm but have an SHA-1 intermediate certificate in the chain.

From November 6, 2014, Namecheap began providing SHA-2-signed certificates by default with SHA-2 intermediate certificates in the chain. You can find a complete list of CA bundles signed with the SHA-2 algorithm here. The proper intermediate certificates are also provided along with your SSL once it has been issued.

Please note that Comodo (now Sectigo) uses both SHA-1 and SHA-2 Root certificates. There is no final ETA on when these roots will be fully migrated to SHA-2. However, at this point, SHA-1 root certificates have no security problems, as TLS clients trust them by their identity rather than by the signature of their hash. However, you can obtain an SHA-2 root for your certificate too.

43836 times

Need help? We're always here for you.