SHA-2 SSL Certificates & Why You Might Need SHA2

SHA-2 SSL certificate hashing is a cryptographic algorithm developed by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). SHA2 certificates are more secure than all previous algorithms, and are being required in certain applications in place of certificates signed with the SHA-1 hash function beginning January 1, 2011.

Many organizations may be required to upgrade to SHA-2 (also known as SHA2 or SHA-256) SSL certificates in conjunction with updated federal and PCI compliance standards. All of DigiCert's SSL certificate offerings can be issued as SHA-256 certificates at no extra cost.

Benefits of SHA2 SSL

Although SHA-1 certificates will still be considered secure for years to come, mathematical weaknesses have been identified that could potentially be exploited in breaking the SHA-1 crypto hash. These mathematical weaknesses were resolved in the SHA-2 encryption algorithm.

As an organization concerned with establishing online security, and as a service to our customers and the end-users who rely on the integrity of their systems and infrastructure, DigiCert supports those organizations that are taking all possible measures to help make SHA-256 certificates the encryption standard.

PCI compliance scanners may require their clients to use SHA-2 compatible SSL certificates. Certificates issued within the federal space will be required (in accordance with NIST standards) to be issued with SHA-2. If you need a SHA-2/SHA-256 certificate, you will be given the option to select whether to make your cert a SHA-2 cert during the order process for any of our standard product offerings.

Wildcards - Secure an entire domain (i.e., *.domain.com) with just one certificate. Learn about Wildcard SSL or order your WildCard SSL certificate.


Unified Communications - Secures multiple names, including internal names and names from multiple base domains. UC certs are frequently used with Exchange, IIS, or to secure multiple websites on one IP address. Learn about UC SSL or order your UC certificate.


Extended Validation - EV Certs are designed to prevent phishing and online fraud. They turn the address bar of the user's browser green, telling clients that you are who you claim to be. Learn about EV SSL or order your EV certificate.


Single Name Certificates - Secure one fully-qualified domain name (with and without the "www"). Learn about SSL certificates or order your SSL certificate.


SHA-2 Certificate Compatibility

The main obstacle to increased SHA-2 proliferation is that while SHA-2 certificates are compatible with most updated modern browsers, platforms, mail clients, and mobile devices, some older systems, such as those running Windows XP SP2 or older, are unable to support SHA2 encryption.

Many organizations will be able to convert to a SHA-2 certificate setup without running into user experience issues, any many may want to encourage users running older, less secure systems to upgrade. However, because some organizations may not decide to take that route, we plan to leave SHA-256 hashing as an option for users when purchasing, renewing, or reissuing their certificates. Our certificates will continue to be issued with the SHA-1 hash by default.

As always, we strive to offer our customers the best in security, compatibility, and flexibility.