Google’s new policy to show warnings in the Chrome browser for SHA-1 certificates as early as this November makes migration to SHA-2 a high priority for website operators
LEHI, UT (Sept. 17, 2014) —DigiCert, Inc., a leading global Certificate Authority and provider of trusted identity and authentication services, today released a free tool which helps system administrators analyze their use of SHA-1 hashing algorithms across all domains and subdomains—and map out a path for SHA-2 migration. Google’s Aug. 19 announcement that it would accelerate deprecation of SHA-1 certificates, including giving untrusted warnings to sites with SHA-1 certificates that expire in 2016, makes it necessary for many administrators to migrate to SHA-2 by as early as November or risk their customers receiving downgraded trust indicators in Chrome.
Using the DigiCert® SHA-1 Sunset Tool, administrators can determine validity periods for their SHA-1 SSL certificates and receive information about how Google’s new policy will affect user interaction with these certificates. DigiCert issues new certificates with SHA-2 by default and has done so for nearly a year. For those choosing to migrate their existing SHA-1 to a new DigiCert-issued SHA-2 certificate, DigiCert will provide a free replacement matching the length of the existing certificate licensing term, regardless of whether or not they are a DigiCert customer.
“With the busy holiday shopping season nearing and the threat of a downgraded user trust experience looming for Chrome users, DigiCert is taking extra steps to help ease the burden of accelerated SHA-2 migration timelines for administrators,” said DigiCert CEO Nicholas Hales. “Our new SHA-1 Sunset Tool saves time and effort by providing a comprehensive analysis of an organization’s certificate landscape, including where SHA-1 certificates exist, which software and hardware support SHA-2, and a review of how Google’s new timelines may affect any given site. We also understand that SHA-2 migration involves costly system and device upgrades for organizations and so we’re offering to match for free the remaining term of any existing SHA-1 certificate that is converted to SHA-2.”
Some key timelines are important to keep in mind regarding Google's SHA-1 deprecation:
- November 2014 - SHA-1 SSL Certificates expiring any time in 2017 will show a warning in Chrome.
- December 2014 - SHA-1 SSL Certificates expiring after June 1, 2016 will show a warning in Chrome.
- Q1 2015 - SHA-1 SSL Certificates expiring any time in 2016 will show a warning in Chrome.
Updated: Additionally, Microsoft has announced the following SHA-1 deprecation timelines:
- January 1, 2016 – Certificate Authorities must stop issuing new SHA-1 SSL Certificates.
- January 1, 2017 – Microsoft will stop trusting SHA-1 SSL Certificates.
Code Signing Certificates
January 1, 2016 – *For Windows 7 and later, and Windows Server 2008 R2 and later
- Microsoft will stop trusting SHA-1 Code Signing Certificates issued after December 31, 2015 with or without time stamps.
- Microsoft will stop trusting SHA-1 Code Signing Certificates issued before January 1, 2016 without time stamps.
January 14, 2020 - *For Windows 7 and later, and Windows Server 2008 R2 and later
- Microsoft will stop trusting SHA-1 Code Signing Certificates issued before January 1, 2016 with time stamps.
January 14, 2020 – *For Windows Vista/Windows 2008
- Microsoft will end support for Windows Vista and Windows 2008. CAs may continue to issue SHA-1 Code Signing Certificates so that developers can continue to support these operating systems until extended support ends.
*Note: For details concerning Microsoft's support for SHA-1 Code Signing Certificates, please refer to the Windows PKI blog posting SHA1 Deprecation Policy.
In addition to receiving a full report of their current SHA-1 deployment across all domains via the SHA-1 Sunset Tool, administrators can take advantage of other DigiCert tools and features to optimize their certificate deployment. DigiCert customers can use a built-in feature to their customer accounts to monitor SHA-2 migrations as they take place, in real-time, using the SHA-1 Sunset Tool. They also can use their account to issue new certificates and benefit from free reissues at any time. Non-DigiCert customers can access the DigiCert Certificate Inspector to review real-time SSL certificate and endpoint deployment across internal and external networks and identify areas for improvement, including flagging SHA-1 certificates and expiration dates.
DigiCert provides leading products and customer support for today’s increasingly connected world, enabling organizations to authenticate their digital identities and encrypt the data that they and their customers share online. Combining personal, timely and knowledgeable customer service with intuitive certificate management tools, DigiCert provides a five-star experience to organizations looking to optimize their security in an efficient and effective manner. As a result, DigiCert continues to attract the business of the world’s leading brands, including five of the U.S. Alexa Top 6. DigiCert also works with SMBs, manufacturers, healthcare organizations, and channel and software integration providers to help them secure information in-transit. This includes being the go-to partner for emerging markets such as the Internet of Things, Wi-Fi security and Directed Exchange of healthcare information.
To learn more about how upcoming SHA-1 deprecation timelines will affect certificate users, and to begin using the free SHA-2 migration tool, visit https://www.digicert.com/sha1-sunset/. Also, DigiCert has compiled a list of hardware and software supporting SHA-2 here: https://www.digicert.com/sha-2-compatibility.htm.
Read more details at DigiCert’s blog: https://blog.digicert.com/what-is-sha-2-and-how-it-affects-you.
About DigiCert, Inc.
DigiCert is a premier, trusted provider of enterprise security solutions with an emphasis on authentication and encryption via managed PKI and high-assurance digital certificates. Headquartered in Lehi, Utah, DigiCert is trusted by more than 80,000 of the world’s leading government, finance, healthcare, education and Fortune 500® organizations. DigiCert has been recognized with dozens of awards for providing enhanced customer value, premium customer service and market growth leadership. For the latest DigiCert news and updates, visit digicert.com, like DigiCert on Facebook® or follow Twitter® handle @digicert.