1. Check Environment for SHA-2 Certificate Support

The first step is to ensure that your environment, including both software and hardware, will support SHA-2 certificates. Refer to the SHA-2 Compatibility page for a list of supported hardware and software.

If parts of your environment will not support SHA-2, you must replace or upgrade those pieces before you can implement new certificates.

2. Find All SHA-1 Certificates

In your DigiCert Management Console, we have listed all the public facing SHA-1 certificates that will be affected by Google’s browser changes. To check your internal network for SHA-1 certificates, please use our Certificate Inspector tool.

3. Replace SHA-1 Certificates with SHA-2 Certificates

To replace your existing SHA-1 certificates with a SHA-2 certificate, you can reissue the certificate, renew the certificate, or purchase a new certificate.

We recommend that you take this opportunity to purchase a new certificate at a significantly discounted price. To the right of a certificate, click Rekey to view the certificate's discounted renewal price.

i. Generate New CSRs for Each SHA-1 Certificate

Generate new Certificate Signing Requests (CSR) for any certificates still using SHA-1 on the server where they are installed. DigiCert provides useful CSR Generators for all major server types that automate the CSR generation process. You can access the DigiCert CSR Generators in the Common Platforms & Operating Systems section of the Create a CSR (Certificate Signing Request) page.

ii. Replace SHA-1 Certificates

To replace your existing SHA-1 certificates with a SHA-2 certificate, you can reissue the certificate, renew the certificate, or purchase a new certificate.

IMPORTANT:
In your DigiCert account, on the SHA1 Sunset Certificates page, after selecting any of the Rekey options (Renew this certificate, Rekey using original CSR, or Rekey using a new CSR), we will send you a new SSL Certificate. When you receive the new certificate, you must install it on the server where the SHA-1 certificate is installed. Note that rekeying a certificate does not revoke the original certificate.

iii. Install New SHA-2 Certificates

Once you receive your new certificates, install them on your network along with any additional intermediate certificates they require. The support section of the DigiCert website contains a huge collection of support articles to answer any questions you have about installing certificates in your environment.

If you are using the DigiCert® Certificate Utility for Windows, you can use our innovative Express Install feature that will automate this process, helping you install your certificate with just a few clicks. See SSL Certificate Importing Instructions: DigiCert® Certificate Utility for Windows.

4. Test Certificate Installation

The last step is to test your website and make sure that the certificates were installed and are working properly. You can use the free DigiCert SSL Installation Diagnostics Tool to find problems. You can also use DigiCert Certificate Inspector to ensure that your servers are configured correctly.