SSL Certificate SHA-1 to SHA-2 Transition

Due to the discovery of vulnerabilities in the SHA-1 algorithm and the continual increase in computing power, the feasibility of breaking the SHA-1 hash will increase over time. Internet browsers and Certificate Authorities (CAs) have already started to phase out SHA-1 in favour of the new SHA-2 algorithm. However, recent announcements from Google about depreciating support for SHA-1 based certificates with an expiry date in 2016 or later means that you will have to take action now to make sure your SSL setup is not affected by the accelerated transition. This article offers you more information on how this will effect your SSL setup and how you can move to SHA-2 certificates.

As of 2014, SHA-1 is still acceptable, but with the continual increase in computing power, the security of SHA-1 will become a concern in the future.

As your security partner, QualitySSL has already made SHA-256 the default hash algorithm for all new QualitySSL Certificates since September 2014.

Important Dates

As part of their SHA-2 migration plan, Google, Microsoft and Mozilla have announced that they will stop trusting SHA-1 SSL certificates. Google will begin phasing out trust in SHA-1 certificates by the end of 2014, while Microsoft and Mozilla will begin phasing out trust for SHA-1 certificates in 2016.

November 2014 - SHA-1 SSL Certificates expiring any time in 2017 will show a warning in Chrome 39.
December 2014 - SHA-1 SSL Certificates expiring after May 31, 2016 will show a warning in Chrome 40.
January 2015 - SHA-1 SSL Certificates expiring any time in 2016 will show a warning in Chrome 41.
January 1, 2016 - Microsoft ceases to trust Code Signing Certificates that use SHA-1.
January 1, 2017 - Mozilla Firefox and Microsoft ceases to trust SSL Certificates that use SHA-1.

SHA-2 Compatibility

The good news is that most commonly used operating systems, browsers, mail clients and mobile devices already support SHA-2. We have put together a compatibility list for known SHA-2 support, as there are some older operating systems such as Windows XP SP2 that do not currently support SHA-2.

The following list gives an overview of operating systems/browsers that currently support SHA-2:

Apple iOS 3.0+
Android 2.3+
Blackberry 5+
Internet Explorer 6+ (with Win XP SP3+)
Safari with Mac OS X 10.5+
Firefox 1.5+
Netscape 7.1+
Mozilla 1.4+
Opera 9.0+
Konqueror 3.5.6+
Mozilla based browsers sine 3.8+
OpenSSL 0.9.8o+
Java 1.4.2+ based products
Chrome 26+
Windows Phone 7+

The following list gives an overview of servers that currently support SHA-2:

4D Server 14.01+
Apache server 2.0.63+ with OpenSSL 0.9.8o+
Barracuda Network Access Client 3.5+
Cisco ASA 5500 8.2.3.9+ for AnyConnect VPN Sessions; 8.4(2)+ for other functionalities
CrushFTP 7.1.0+
F5 BIG-IP 10.1.0+
IBM Domino Server2 9.0+ (Bundled with HTTP 8.5+)
IBM HTTP Server2 8.5+ (Bundled with Domino 9+)
IBM z/OS v1r10+
Java based servers using Java 1.4.2+
Mac OS X Server 10.5+
OpenSSL based servers using OpenSSL 0.9.8o+
Oracle Wallet Manager 11.2.0.1+
Oracle Weblogic 10.3.1+
SonicOS (SonicWALL) 5.9.0.0+
WebSphere MQ 7.0.1.4+
Windows Server 2008
Windows Server 2012
Windows Server 2003 SP2 +patch 938397

Find and replace SHA-1 certificates for Free

We have contacted all QualitySSL customers that have certificates that expire in 2016 or later, as those certificates will be affected by the accelerated SHA-2 transition.

As a QualitySSL costumer you can get your QualitySSL certificates re-issued with SHA-256 at no cost. All you have to do is generate a new CSR and email it to support@qualityssl.com.

Please Note: Re-issuing a certificate requires the completion of the validation steps before the certificate becomes available, so please plan accordingly.

In case you have a certificate from another vendor, you can use our SSL Server Test to to check if your SSL certificate uses SHA-1 and if you decide to re-place the certificate with a new QualitySSL certificate then email your QualitySSL order number to sales@qualityssl.com and we will add 3 months to the lifetime of your new SHA-256 certificate for free.

Can you still get an SHA-1 certificate if you need it?

Yes, until December 2015 you may contact support@qualityssl.com with your order number and let us know that you want the certificate to be issued with SHA-1. Please note that SHA-1 certificates will be restricted to a lifetime of 1 year.

For additional information visit:

Google sunsetting SHA-1
Microsoft SHA1 Deprecation Policy
Mozilla Phasing Out Certificates with SHA-1 based Signature Algorithms

Questions ?

Please feel welcome to contact us by

E-mail support@qualityssl.com

Phone +45 30 29 19 09