How to Migrate to SHA-2 SSL Certificates

Find and Replace Internal and External SHA-1 Certificates

As your security partner, DigiCert has already made SHA-256 the default for all new SSL Certificates issued, and strongly recommends that all customers re-key their SHA-1 certificates to avoid possible warnings online due to the phase out of SHA-1 trust by Microsoft, Google, and Mozilla.

Quickly Find and Replace SHA-1 Certificates

Certificate Inspector and the SHA-1 Migration Tool help you quickly find and replace SHA-1 SSL Certificates with a free DigiCert SHA-2 certificate.

Check My Site

Important Dates

As part of their SHA-2 migration plan, Microsoft, Google, and Mozilla have announced that they will stop trusting SHA-1 certificates. Google will begin phasing out trust in SHA-1 certificates in November 2014.

SHA-1 SSL Certificates

Microsoft and Mozilla will begin phasing out trust for SHA-1 certificates in 2016. With these dates fast approaching, it’s time to move to SHA-2.

  • November 2014 – SHA-1 SSL Certificates expiring any time in 2017 will show a warning in Chrome.

  • December 2014 – SHA-1 SSL Certificates expiring after June 1, 2016 will show a warning in Chrome.

  • January 2015 – SHA-1 SSL Certificates expiring any time in 2016 will show a warning in Chrome.

  • January 1, 2017 – Microsoft and Mozilla will end trust for all SHA-1 SSL Certificates.

SHA-1 Code Signing Certificate

  • *Windows 7+/Windows 2008 R2+

    • January 1, 2016 – Microsoft will end trust for SHA-1 Code Signing Certificates issued after December 31, 2015, including all SHA-1 signed code with or without time stamps. Microsoft will end trust for code signed by SHA-1 Code Signing Certificates issued before January 1, 2016 without time stamps.

    • January 14, 2020 – Microsoft will end trust for SHA-1 Code Signing Certificates issued before January 1, 2016, including all SHA-1 signed code with time stamps.

  • *Windows Vista/Windows 2008

    • January 14, 2020 – Microsoft will end support for Windows Vista/Windows 2008. Because these operating systems don’t support SHA-2 Code Signing Certificates, CAs may continue to issue SHA-1 Code Signing Certificates so that developers can continue to support these operating systems until their extended support ends.

  • *Note:  For details concerning Microsoft's support for SHA-1 Code Signing Certificates, please refer to the Windows PKI blog posting SHA1 Deprecation Policy.

Benefits of SHA-256 SSL Security

Google, Microsoft, and Mozilla have will end trust for SHA-1 certificates by 2017.

SHA-2 is a cryptographic hashing algorithm developed by the National Institute of Standards and Technology (NIST) to replace SHA-1. The NIST required that all Federal Agencies stop using SHA-1 certificates by January 1, 2011 due to mathematical weaknesses in SHA-1.

Network security experts have warned that SSL Certificates using the SHA-1 hashing algorithm are in danger of being hacked due to advancements in computing technology.

DigiCert recommends moving to SHA-2 for security reasons. Most major platforms support SHA-2 and the majority of organizations should not experience issues upgrading to SHA-2.

Should I Switch to SHA-2?

W3Schools reports that 59.8% of all Internet users use Chrome and will be affected by the SHA-1 warnings starting in November. In order to avoid warnings for Chrome users, administrators must replace any SHA-1 certificates with SHA-2.

In November 2013, Microsoft announced that it would stop trusting SHA-1 certificates due to concerns that the algorithm is no longer secure. It stated that the deadlines in the SHA-1 deprecation policy reflected their estimation of the likelihood of the threat from SHA-1 attacks. Mozilla has announced a similar timeline for its products.

In August 2014, Google took an even more aggressive stance stating that Chrome will display warnings starting in November 2014 for sites secured with SHA-1 certificates due to SHA-1 being insufficiently secure. Google’s intent is to help phase out SHA-1 certificates on an accelerated timeline and make the transition smoother than MD5.

Security Problems with SHA-1

As technology advances and attacks become more sophisticated, it makes sense that eventually a hash function’s collision resistance will become weak enough that a stronger hash function becomes necessary.

Once existing computation power is strong enough and the cost of gathering this computation power becomes practical, an industry-wide move must be made to a stronger hash algorithm—as was the case with MD5.

Taking into account the need for system compatibility, the industry has been gradually shifting toward SHA-2 over the last few years to mitigate the future threats to the SHA-1 algorithm.