Why Migrate to SHA-2 SSL Certificates

Certificate Inspector: Certificate Inventory and Vulnerability Management

As your security partner, DigiCert has already made SHA-256 the default for all new SSL Certificates issued, and strongly recommends that all customers update their SHA-1 certificates to SHA-2.

Cryptanalysts have urged administrators to replace their SHA-1 certificates as the risks associated SHA-1 are greater than previously expected. While there doesn’t appear to be an immediate present danger, we strongly encourage administrators to migrate to SHA-2 as soon as feasibly possible.

Quickly Find and Replace SHA-1 Certificates

Certificate Inspector and the SHA-1 Migration Tool help you quickly find and replace SHA-1 SSL Certificates with a free DigiCert SHA-2 certificate.

Check My Site

When Should I Switch to SHA-2?

Google, Mozilla, and Microsoft have already started phasing out trust for SHA-1 SSL Certificates. Chrome shows SHA-1 warnings for sites using SHA-1 certificates. Administrators who have not yet replaced their SHA-1 certificates with SHA-2 certificates should start making the switch now.

In November 2013, Microsoft announced that it would stop trusting SHA-1 certificates due to concerns that the algorithm is no longer secure. It stated that the deadlines in the SHA-1 deprecation policy reflected their estimation of the likelihood of the threat from SHA-1 attacks. Mozilla has announced a similar timeline for its products.

In August 2014, Google took an even more aggressive stance stating that Chrome will display warnings starting in November 2014 for sites secured with SHA-1 certificates due to SHA-1 being insufficiently secure. Google’s intent is to help phase out SHA-1 certificates on an accelerated timeline and make the transition smoother than MD5.

In October 2015, an international team of cryptanalysts published research urging administrators to replace their SHA-1 certificates sooner as the risks associated SHA-1 are greater than previously expected. The published findings are theoretical and have not yet been proven in a practical setting. While there doesn't appear to be an immediate danger, we strongly encourage administrators to migrate to SHA-2 as soon as possible.

Administrators should consider the impact this update could have and plan for the following:

  • Hardware compatible with SHA-2
  • Server software updates supporting SHA-2
  • Client software support for SHA-2
  • Custom application support for SHA-2

Browsers and CAs have previously encouraged migration to SHA-2 by 2017, however current research should encourage organizations to accelerate their plans to upgrade existing infrastructure to support SHA-2. For more information about SHA-2 timelines, please visit our SHA-2 FAQ.