Moving SHA-1 Certificates to the SHA-2 Hashing Algorithm

While there doesn’t appear to be an immediate present danger, DigiCert strongly encourage administrators to migrate to SHA-2 as soon as feasibly possible.

The following migration guide will help administrators plan and deploy SHA-2 SSL Certificates.

SHA-1 to SHA-2 Migration Steps

1. Check Environment for SHA-2 Certificate Support

The first step is to ensure that your environment, including both software and hardware, will support SHA-2 certificates. Refer to the SHA-2 compatibility page for a list of supported hardware and software.

If parts of your environment will not support SHA-2, you must replace or upgrade those pieces before you can implement new certificates.

2. Find All SHA-1 Certificates

Find all of the SHA-1 certificates in your network, regardless of issuer, by using scanning tools like DigiCert's Certificate Inspector.

3. Generate New CSRs for Each SHA-1 Certificate

Generate new Certificate Signing Requests (CSR) for any certificates still using SHA-1 on the server where they are installed.

DigiCert provides useful CSR Generators for all major server types that automate the CSR generation process. You can access the DigiCert CSR Generators in the Common Platforms & Operating Systems section of the Create a CSR (Certificate Signing Request) page.

4. Replace SHA-1 Certificates with SHA-2 Certificates

To replace your existing SHA-1 certificates with a SHA-2 certificate, you can reissue the certificate, renew the certificate, or purchase a new certificate.

5. Install New SHA-2 Certificates

Once you receive your new certificates, install them on your network along with any additional intermediate certificates they require.

The support section of the DigiCert website contains a huge collection of support articles to answer any questions you have about installing certificates in your environment.

If you are using the DigiCert® Certificate Utility for Windows, you can use our innovative Express Install feature that will automate this process, helping your install your certificate with just a few clicks. See SSL Certificate Importing Instructions: DigiCert® Certificate Utility for Windows.

6. Test Certificate Installation

The last step is to test your website and make sure that the certificates are installed and working properly. You can use the free DigiCert SSL Installation Diagnostics Tool to find problems. You can also use DigiCert Certificate Inspector to ensure that you have not introduced other potential vulnerabilities based on how you configured the certificates.

Certificate Inspector

You can use the DigiCert Certificate Inspector tool to examine your entire certificate landscape for potential vulnerabilities, including SHA-1 Certificates. With the Certificate Inspector you can enter a domain or range of IPs to not only find SHA-1 certificates but to identify which servers they are installed on in your internal and public network. Using Certificate Inspector makes tracking your migration to SHA-2 easy.


Replace SHA-1 Certificates at No Cost

DigiCert understands that migrating to SHA-2 can be difficult, especially if you hadn’t planned on migrating this soon. To make migrating SHA-1 certificates as simple as possible, we've made a number of options available at no cost.

To migrate to SHA-2:

You can reissue, extend, or replace. DigiCert certificates come with unlimited free reissues so it’s easy to replace your SHA-1 Certificate with a SHA-2 Certificate.

To re-issue any current DigiCert certificates:

You can log into your DigiCert customer account and while inside your account, follow the Reissuing a DigiCert® SSL Certificate instructions.

To renew any current DigiCert certificates:

DigiCert customers can also renew an existing certificate to get SHA-2. Starting 90 days before a certificate expires, a renew button appears inside your DigiCert customer account that lets you renew a certificate.

Non-DigiCert certificates:

For non-DigiCert certificates, you can switch away from your existing SHA-1 certificate and upgrade to a DigiCert SHA-2 certificate at no cost.