Google Ending Trust for SHA-1 SSL Sites, How it Affects You

Google and Microsoft have both announced that they would end support for the SHA-1 hashing function used in a majority of SSL Certificates online at a later date, giving the 85% sites that still use SHA-1 certificates time to plan their migration to SHA-256.

However, last week Google announced that they were accelerating their SHA-1 deprecation plan by adding a warning in Chrome for sites using SHA-1 SSL Certificates expiring in 2016 and stopping trust in sites using SHA-1 certificates that expire after 2017.

Google’s change is expected in Chrome version 39 scheduled for release in late October 2014. Future releases of Chrome would intensify the warnings and shut off access to sites that continue to use SHA-1 certificates expiring beyond their most recent deadline.

(Image courtesy of Eric Mill – konklone.com)

What to Do About SHA-1 Deprecation and How to Transition to SHA-2

Organizations facing a last-minute SHA-256 migration for SHA-1 certificates being deprecated have a number of options they should consider:

1. Understand important SHA-1 dates
Google SHA-1 Deprecation Timeline

  • Chrome 37 – current version
  • Chrome 38 – beta in progress
  • Chrome 39 – beta launch Sep 26, 2014
    • SHA-1 certs expiring Jan 1, 2017 or later receive yellow triangle warning
  • Chrome 40 – beta launch Nov 7, 2014
    • SHA-1 certs expiring between June 1, 2016-December 31, 2016 receive yellow triangle warning
    • SHA-1 certs expiring after Jan 1, 2017 receive neutral warning (shows https in grey instead of green)
  • Chrome 41 – beta launch Q1 2015
    • SHA-1 certs expiring Jan 1, 2016 -> Dec 31, 2016 receive yellow triangle warning
    • SHA-1 certs expiring Jan 1, 2017 or later receive red strike-through warning

Microsoft SHA-1 Deprecation Timeline

  • January 1, 2016 – Microsoft will end trust for SHA-1 Code Signing Certificates
  • January 1, 2017 – Microsoft will end trust for SHA-1 SSL Certificates


2. Identify use impact
W3Schools’ latest report stated that 59.8% of all people on the Internet use Chrome and thus will be affected by this new warning starting in late October to early November.

Depending on the user environment, the percentage of users affected will differ. Some organizations may see lower numbers of affected users, others may see a significantly higher number of affected users.

For intranets or applications where users are required to use a specific browser or have a custom interface to access, the impact may be not as severe. However, for public sites, the impact may be greater.

Administrators should identify the number of possible users affected and plan their migration accordingly.

3. Find all of your SHA-1 certificates online
Keeping track of all your SHA-1 certificates online can be tricky process, especially for organizations with certificates issued to their domain but used with 3rd party services and internal SSL Certificates.

DigiCert has two unique tools to help manage SHA-1 migration. The DigiCert SHA-1 Sunset Tool gives administrators a total list of public certificates issued to their domain name.

Organizations managing a number of internal servers with certificates can also use the free Certificate Inspector cloud certificate management service to scan for both internal and external certificates and quickly migrate SHA-1 certificates to SHA-2.

4. Get new SHA-2 certificates with a full SHA-2 certificate chain
By default DigiCert issues SHA-2 certificates. But for those with SHA-1 certificates from other providers, DigiCert allows for free re-keys of SSL Certificates to SHA-2, whether issued by DigiCert or not.

New SHA-2 certificates also require the full certificate chain to be SHA-2 compatible. DigiCert issues SHA-2 certificates by default from a full SHA-2 certificate chain, but other providers might still issued from a SHA-1 certificate chain which will still cause the security warning. Administrators should ensure certificates with other providers also are compliant with the new guidelines to prevent any browser warning.

5. Update systems for SHA-2 compliance or extend SHA-1 to December 31, 2015
Most platforms have already been updated to support SHA-2 though patches or hot fixes. However, for platforms that don’t yet support SHA-2 administrators can re-issue their SHA-1 certificate and set that expiration date to December 31, 2015 to keep their certificate in compliance with the new SHA-1 Google policy and avoid any browser warning for their sites online.

If you need to continue using a SHA-1 certificate because of platform compatibility issues, our 24-hour customer support team can help extend your SHA-1 SSL Certificate to the maximum deadline for free. The support team is available 24 hours by live chat and email.