How to Replace SHA-1 with SHA-2 certificates:
Depending on what Certificate Authority and how you purchased your certificate a reissue of the certificate may be available to you. This would require a New CSR to be generated typically with a reissue or replace option available in a portal that is used to manage your SSL certificate. The end result will be a new SHA2 SSL certificate issued that will then have to be reinstalled back on the server system.
- Identify certificates that have a SHA-1 algorithm.
Knowing the Order number or Common Name of the SSL certificate issued will typically be required.
- If your SSL certificate was issued through Acmetek Click HERE.
Note: Contact your Certificate Authority for procedures in replacing any SHA-1 certificates with the SHA-2 certificates.
- Install the new SHA-2 end-entity/SSL Certificate and SHA-2 Intermediate CA certificate to your server.
- Test your SSL installation by using an SSL Checker.
Why the SHA-1 Depreciation?
SHA-1’s use on the Internet has been deprecated since 2011. The CA/Browser Forum, an industry group of leading web browsers and certificate authorities (CAs) working together published their Baseline Requirements for SSL regarding this depreciation. These Requirements recommended that all CAs transition away from SHA-1 as soon as possible, and followed similar events in other industries and sectors, such as NIST deprecating SHA-1 for government use in 2010. The reason being that due to the progress of technology this old algorithm is on the verge of being exploited.
Microsoft and Google announced SHA-1 deprecation plans that may affect websites with SHA-1 certificates have already been taken into effect. According to Google’s blog on “Gradually Sunsetting SHA-1”, Chrome version 39 and later will display visual security indicators on sites with SHA-1 SSL certificates with validity beyond January 1, 2016.
After 12/31/2016, most browsers will not trust certificates that use SHA1. Use SHA2 instead.
Purpose of Migration:
Some organizations may state their systems cant understand SHA2 and they need this industry standard extended. But at some point those organizations need to take into account that these standards have been implemented since 2011. The constant rhetoric of “oh we will upgrade next year” will never happen, and if the industry were to extend insecure practices while faced with ample evidence of their weaknesses this would put the entire community at risk. As the progress of technology ever evolves so do the security risks. Stagnation is what leaves a network vulnerable.