SHA-2 SSL Certificates & Why You Need SHA-2

SHA-2 SSL Certificate hashing is a cryptographic algorithm that was developed by the National Institute of Standards and Technology (NIST). The SHA-2 hashing algorithm is more secure than all previous algorithms.

The NIST required that all Federal Agencies stop using SHA-1 generated digital signatures by January 1, 2011. Microsoft announced that on January 1, 2016, they would stop trusting Code Singing Certificates generated with a SHA-1 hashing algorithm, and on January 1, 2017, they would stop trusting SHA-1 generated SSL Certificates.

Many organizations need to upgrade to SHA-2 (also known as SHA-256) SSL certificates in conjunction with updated federal and PCI compliance standards. Many Organizations will soon need to upgrade to SHA-2 SSL Certificates in conjunction with Microsoft’s SHA-1 Deprecation policy. Since October 28, 2010, DigiCert has offered SHA-2 certificates, which means that all of DigiCert's SSL Certificate offerings can be issued as SHA-2 certificates at no extra cost.

Benefits of SHA-2 SSL

Mathematical weaknesses have been identified in SHA-1 that could potentially be exploited to break the SHA-1 crypto hash. These mathematical weaknesses were resolved in the SHA-2 encryption algorithm.

As an organization concerned with establishing online security, and as a service to our customers and the end-users who rely on the integrity of their systems and infrastructure, DigiCert supports those organizations that are taking all possible measures to help make SHA-2 certificates the encryption standard.

PCI compliance scanners require their clients to use SHA-2 compatible SSL Certificates. Certificates issued within the federal space are required (in accordance with NIST standards) to be issued with SHA-2. If you need a SHA-2/SHA-256 SSL certificate, you can use SHA-2 to generate your SSL Certificate during the ordering or renewal process for any of our standard product offerings.

Wildcards - Secure an entire domain (i.e., *.domain.com) with just one certificate. Learn about Wildcard SSL or order your Wildcard SSL Certificate.


Unified Communications - Secures multiple names, including internal names and names from multiple base domains. UC certs are frequently used with Exchange, IIS, or to secure multiple websites on one IP address. Learn about UC SSL or order your UC certificate.


Extended Validation - EV Certs are designed to prevent phishing and online fraud. They turn the address bar of the user's browser green, telling clients that you are who you claim to be. Learn about EV SSL or order your EV Certificate.


Single Name Certificates - Secure one fully qualified domain name (with and without the "www"). Learn about SSL Certificates or order your SSL Certificate.


SHA-2 Certificate Compatibility

SHA-2 supportability has improved. Most browsers, platforms, mail clients, and mobile devices, already support SHA-2. Some older operating systems such as Windows XP pre SP3 do not support SHA-2 encryption.

Many organizations will convert to SHA-2 SSL Certificates without running into user experience issues, and many may want to encourage users running older, less secure systems to upgrade. For SSL Certificates expiring before December 31, 2016, you can still use SHA-1 to generate your SSL Certificate. However, when ordering or renewing any SSL Certificate that expires after December 31, 2016, SHA-2 is automatically selected by default.

For additional information about making the transition to SHA-2, see Switching to SHA-2.

As always, we strive to offer our customers the best in security, compatibility, and flexibility.