Moving SHA-1 Certificates to the SHA-2 Hashing Algorithm
While there doesn’t appear to be an immediate present danger, DigiCert strongly encourage administrators to migrate to SHA-2 as soon as feasibly possible.
The following migration guide will help administrators plan and deploy SHA-2 SSL Certificates.
SHA-1 to SHA-2 Migration Steps
1. Check Environment for SHA-2 Certificate Support
The first step is to ensure that your environment, including both software and hardware, will support SHA-2 certificates. Refer to the SHA-2 compatibility page for a list of supported hardware and software.
If parts of your environment will not support SHA-2, you must replace or upgrade those pieces before you can implement new certificates.
2. Find All SHA-1 Certificates
3. Generate New CSRs for Each SHA-1 Certificate
Generate new Certificate Signing Requests (CSR) for any certificates still using SHA-1 on the server where they are installed. DigiCert provides useful CSR Generators for all major server types that automate the CSR generation process. You can access the DigiCert CSR Generators in the Common Platforms & Operating Systems section of the Create a CSR (Certificate Signing Request) page.
4. Replace SHA-1 Certificates with SHA-2 Certificates
To replace your existing SHA-1 certificates with a SHA-2 certificate, you can reissue the certificate, renew the certificate, or purchase a new certificate.
5. Install New SHA-2 Certificates
Once you receive your new certificates, install them on your network along with any additional intermediate certificates they require. The support section of the DigiCert website contains a huge collection of support articles to answer any questions you have about installing certificates in your environment.
If you are using the DigiCert® Certificate Utility for Windows, you can use our innovative Express Install feature that will automate this process, helping your install your certificate with just a few clicks. See SSL Certificate Importing Instructions: DigiCert® Certificate Utility for Windows.
6. Test Certificate Installation
The last step is to test your website and make sure that the certificates were installed and are working properly. You can use the free DigiCert SSL Installation Diagnostics Tool to find problems. You can also use DigiCert Certificate Inspector to ensure that you have not introduced other potential vulnerabilities based on how you configured the certificates.
You can use the DigiCert Certificate Inspector tool to examine your entire certificate landscape for potential vulnerabilities, including SHA-1 Certificates. With the Certificate Inspector you can enter a domain or range of IPs to not only find SHA-1 certificates but to identify which servers they are installed on in your internal and public network. Using Certificate Inspector makes tracking your migration to SHA-2 easy.
DigiCert SHA-1 Sunset Tool
The DigiCert SHA-1 Sunset Tool allows you to type in a domain name and quickly identify which of existing Websites are currently secured with a SHA-1 SSL Certificate. Once you find affected the certificates, you can see potential warnings your users could see on browsers and quickly replace any SHA-1 certificates with a free DigiCert SHA-2 certificate.
Replace SHA-1 Certificates At No Cost
DigiCert understands that migrating to SHA-2 can be difficult, especially if you hadn’t planned on migrating this soon. To make migrating SHA-1 certificates as simple as possible, we've made a number of options available at no cost.
To migrate to SHA-2:
You can reissue, extend, or replace. DigiCert certificates come with unlimited free reissues so it’s easy to replace your SHA-1 Certificate with a SHA-2 Certificate.
To re-issue any current DigiCert certificates:
You can log into your DigiCert customer account and while inside your account, follow the Reissuing a DigiCert® SSL Certificate instructions.
To renew any current DigiCert certificates:
DigiCert customers can also renew an existing certificate to get SHA-2. Starting 90 days before a certificate expires, a renew button appears inside your DigiCert customer account that lets you renew a certificate.
For non-DigiCert certificates, you can switch away from your existing SHA-1 certificate and upgrade to a DigiCert SHA-2 certificate at no cost.