What Is SHA-2 and How the SHA-1 Deprecation Affects You

SSL pulse currently reports that only 15% sites use SHA-256 certificates as of September 2014.

Microsoft announced last year that it would end trust for SHA-1 SSL Certificates after January 1, 2017 to address possible threats in the future.

Earlier this month, Google announced they would be adding warning indicators for sites using SHA-1 certificates expiring after December 31, 2017 in an upcoming version of Chrome to be released sometime in November 2014. Subsequent updates of Chrome would also warn visitors on sites using SHA-1 certificates expiring in 2016.

As your security partner, DigiCert has already made SHA-256 the default for all new SSL Certificates issued, and strongly recommends that all customers re-key their SHA-1 certificates to avoid possible Chrome browser warnings due to the accelerated Google timeline.

Simple Tools to Make SHA-1 Migration Easy

DigiCert strongly recommends that SHA-1 certificates be updated to SHA-256 as soon as possible to avoid any possible browser warning for end users. DigiCert has two easy-to-use and free tools to make SHA-1 migration as easy as possible.

SHA-1 Tracker

The SHA-1 tracker quickly gives administrators a list of all SHA-1 certificates they have on the Internet and lets them replace any SHA-1 certificates with a free DigiCert SHA-2 certificate to make the transition to SHA-2 easier.

Certificate Inspector

If you have SHA-1 certificates on your internal networks, you can use Certificate Inspector. Certificate Inspector is a cloud-based certificate management platform that quickly finds all certificates on an internal and external network, including SHA-1 certificates and makes it easy to migrate them to SHA-2.

SHA-256 Migration Options

To ensure compliance with the Google SHA-1 policy change, we’ve put together these 3 quick options for customers and non-customers to ensure that their sites remain secure.

  1. Re-key your certificate with SHA-2

    Most certificate providers allow for free re-keys of SSL Certificates. If you have a SHA-1 certificate, your provider should allow for you to generate a new SHA-256 certificate for free.

    All DigiCert certificates come with unlimited free re-keys. Although DigiCert issues SHA-2 certificates by default, those customers using SHA-1 certificates for backwards compatibility can update their certificates to SHA-2 by using the re-key option in their DigiCert account.

  2. Replace your SHA-1 certificate with a free SHA-2 certificate

    Waiting for a new certificate to be issued can be a painful process. But getting a new certificate shouldn’t take days or weeks—DigiCert issues our fully verified and trusted certificates in a matter of minutes.

    To help you make the move as painless as possible, DigiCert is replacing any SHA-1 certificate issued by another Certificate Authority with an equivalent DigiCert SHA-256 certificate for free. The SHA-1 Sunset tool identifies all SHA-1 certificates issued to your domain and makes it easy to upgrade to SHA-2 for free.

  3. Re-issue a SHA-1 certificate up to December 31, 2015

    Most platforms have already been updated to support SHA-2 though patches or hotfixes. For platforms that don’t yet support SHA-2, administrators can re-issue their SHA-1 certificate and set the expiration date to December 31, 2015. This allows you to keep your certificates in compliance with the new SHA-1 Google policy and avoid any browser warning for your site online.

    For a full list of SHA-2 platforms, see our SHA-2 compatibility page.

    http://digicert.com/sha-2-compatibility.htmIf you need to continue using a SHA-1 certificate because of platform compatibility issues, our 24-hour customer support team can help extend your SHA-1 SSL Certificate to the maximum deadline for free.

Posted in Announcements, News