Security 101 12-07-2013

Important SHA-2 SSL Certificate Questions & Answers

Flavio Martins

In 2013, Microsoft announced a change to their SSL Root Certificate Program policy that required all certificates issued to use the SHA-2 hash algorithm for higher security in SSL.

DigiCert was the first Certificate Authority (CA) to offer SHA-2 certificates to all of its customers on new certificates and allowed any customer to convert their existing SSL Certificate to use SHA-2 for free by simply re-issuing their existing certificate.

SHA-1 No Longer Trusted by 2016

The days of SHA-1 signatures in SSL Certificates are numbered. The Microsoft means that all certificate providers will need migrate their existing SSL Certificates to use SHA-2 before January 1, 2016.

Important dates in SHA-2 Requirements:

  • January 2016 - Microsoft will end trust for applications signed with SHA-1 Signing Certificate
  • January 2017 - Microsoft will end trust for websites using SHA-1 SSL Certificate
  • January 2015 - Microsoft will conduct a status review and consider accelerating adoption timelines

This site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it

Since the Microsoft announcement, major browsers providers Google (Chrome), Mozilla (Firefox), Opera, and Apple (Safari), have voiced their support of this decision and have also created adoption requirements within their trust root certificate programs.

Because of the change in SSL Certificate options, we sat down with DigiCert CTO, Paul Tiemann, to ask the important questions with the upcoming transition to SHA-2 SSL Certificates and get his expert opinion to make SHA-2 transition as easy as possible.

Q. Is something wrong with SHA-1?

SHA-1 (Secure Hashing Algorithm) was adopted in 1995, and that is a very long time ago in internet years.  Think of the computer you were using in 1995.  Today's computers, combined with today's advances in cryptography, are putting pressure on SHA-1.  The good news: SHA-2 is pretty widely supported, so there's an opportunity for us all to move forward without causing too much pain and frustration.

Q. Are there browser compatibility issues with SHA-2?

Older versions of browsers and operating systems will naturally be incompatible with this new requirement. When they were developed, they utilized the latest standard in security, but naturally, with security improvements, updates are needed.

Browser and OS vendors always encourage users to upgrade to the latest version of their software in order to take advantage of new security policies and standards. Continuing to use old browsers or operating systems, however comfortable we may be with them, means using something that is unsafe for browsing the Internet or securing sensitive data.

For example, Windows XP before SP3 did not support SHA-2. IE7 on Windows XP pre-SP3 will give errors when connecting to a website with a SHA-2 certificate.  Firefox has supported SHA-2 since 1.0 as have the rest of the modern browsers and mobile platforms.

Naturally, as products are updated, vendors will stop issuing new security updates leaving you exposed to threats and making it easier for your information to be compromised.

Q. How is DigiCert handling the SHA-2 requirement?

We've always wanted to give our customers the very best experience in SSL. Getting it right is sometimes a balancing act: SHA-1 is more widely supported, but SHA-2 is more future-safe.

Because SSL Certificates with SHA-1 signatures will very likely not be trusted after the end of 2016, we are automatically using SHA-2 for certificates expiring after December 30, 2016. Certificates which expire before that date can still be issued with SHA-1 signatures.

Customers who still need backwards compatibility before the final deadline can contact our technical support team 24 hours a day and get help creating a SHA-1 SSL certificate.

Q. Will SHA-2 SSL Certificates work on my server?

In almost all cases the answer is yes, but there are just a few exceptions for very old server platforms or devices where vendors have yet to create a patch to enable SHA-2 support.

We're still working on our own internal list, but it looks something like this at present based on feedback from customers: Cisco ASA 5525-X, Domino v8.5.3, F5 Big IP, SonicWall TZ 210, Rocket software Jaywalk 4.1, Oracle, Cisco ASA 5510 v8.0 ASDM 6.0, netcontinuum, ISA 2006.

In most of these cases there is already a SHA-2 compatible patch or updated version available, but we recommend that you check the vendor's web site to confirm SHA-2 compatibility or contact our customer support team who will be happy to help confirm compatibility for your specific platform.

Q. What do I do if I have a SHA-2 certificate and run into a problem?

The easiest thing to do is to contact us! We can help you get a SHA-1 certificate that will expire before the cutoff date. Our technical support team is setup with no phone queues, no IVR menus, just a phone number for you to call and be connected with an SSL Engineer to answer any question that you have. If you're a little phone shy we're also available by live chat, email, or can always be contacted online through Twitter and Facebook.

SHA-2 Certificate Migration Made Easy

We understand that not all applications can reliably use SHA-2, so migrating to the new standard needs to be made easy.

The DigiCert unlimited re-issue feature allows server administrators to reissue any certificate as a SHA-1 certificate (prior to the expiration dates). With the DigiCert set of SSL management tools and support team administrators can simplify the process of getting systems using SHA-2 eliminating downtime and hassle.


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories


What Is A CA’s Role In Delivering Digital Trust?


The Entrust distrust: Key takeaways for CAs and organizations


The Entrust distrust: Key takeaways for CAs and organizations