SSL Certificate SHA-1 to SHA-2 Transition
Due to the discovery of vulnerabilities in the SHA-1 algorithm and the continual increase in computing power, the feasibility of breaking the SHA-1 hash will increase over time. Internet browsers and Certificate Authorities (CAs) have already started to phase out SHA-1 in favour of the new SHA-2 algorithm. However, recent announcements from Google about depreciating support for SHA-1 based certificates with an expiry date in 2016 or later means that you will have to take action now to make sure your SSL setup is not affected by the accelerated transition. This article offers you more information on how this will effect your SSL setup and how you can move to SHA-2 certificates.
As of 2014, SHA-1 is still acceptable, but with the continual increase in computing power, the security of SHA-1 will become a concern in the future.
As your security partner, QualitySSL has already made SHA-256 the default hash algorithm for all new QualitySSL Certificates since September 2014.
As part of their SHA-2 migration plan, Google, Microsoft and Mozilla have announced that they will stop trusting SHA-1 SSL certificates. Google will begin phasing out trust in SHA-1 certificates by the end of 2014, while Microsoft and Mozilla will begin phasing out trust for SHA-1 certificates in 2016.
- November 2014 - SHA-1 SSL Certificates expiring any time in 2017 will show a warning in Chrome 39.
- December 2014 - SHA-1 SSL Certificates expiring after May 31, 2016 will show a warning in Chrome 40.
- January 2015 - SHA-1 SSL Certificates expiring any time in 2016 will show a warning in Chrome 41.
- January 1, 2016 - Microsoft ceases to trust Code Signing Certificates that use SHA-1.
- January 1, 2017 - Mozilla Firefox and Microsoft ceases to trust SSL Certificates that use SHA-1.
The good news is that most commonly used operating systems, browsers, mail clients and mobile devices already support SHA-2. We have put together a compatibility list for known SHA-2 support, as there are some older operating systems such as Windows XP SP2 that do not currently support SHA-2.
The following list gives an overview of operating systems/browsers that currently support SHA-2:
- Apple iOS 3.0+
- Android 2.3+
- Blackberry 5+
- Internet Explorer 6+ (with Win XP SP3+)
- Safari with Mac OS X 10.5+
- Firefox 1.5+
- Netscape 7.1+
- Mozilla 1.4+
- Opera 9.0+
- Konqueror 3.5.6+
- Mozilla based browsers sine 3.8+
- OpenSSL 0.9.8o+
- Java 1.4.2+ based products
- Chrome 26+
- Windows Phone 7+
The following list gives an overview of servers that currently support SHA-2:
- 4D Server 14.01+
- Apache server 2.0.63+ with OpenSSL 0.9.8o+
- Barracuda Network Access Client 3.5+
- Cisco ASA 5500 184.108.40.206+ for AnyConnect VPN Sessions; 8.4(2)+ for other functionalities
- CrushFTP 7.1.0+
- F5 BIG-IP 10.1.0+
- IBM Domino Server2 9.0+ (Bundled with HTTP 8.5+)
- IBM HTTP Server2 8.5+ (Bundled with Domino 9+)
- IBM z/OS v1r10+
- Java based servers using Java 1.4.2+
- Mac OS X Server 10.5+
- OpenSSL based servers using OpenSSL 0.9.8o+
- Oracle Wallet Manager 220.127.116.11+
- Oracle Weblogic 10.3.1+
- SonicOS (SonicWALL) 18.104.22.168+
- WebSphere MQ 22.214.171.124+
- Windows Server 2008
- Windows Server 2012
- Windows Server 2003 SP2 +patch 938397
Find and replace SHA-1 certificates for Free
Please Note: Re-issuing a certificate requires the completion of the validation steps before the certificate becomes available, so please plan accordingly.
In case you have a certificate from another vendor, you can use our SSL Server Test to to check if your SSL certificate uses SHA-1 and if you decide to re-place the certificate with a new QualitySSL certificate then email your QualitySSL order number to firstname.lastname@example.org and we will add 3 months to the lifetime of your new SHA-256 certificate for free.
Can you still get an SHA-1 certificate if you need it?
Yes, until December 2015 you may contact email@example.com with your order number and let us know that you want the certificate to be issued with SHA-1. Please note that SHA-1 certificates will be restricted to a lifetime of 1 year.