home / support / ssl certificate sha1 to sha2 transition

SSL Certificate SHA-1 to SHA-2 Transition

Due to the discovery of vulnerabilities in the SHA-1 algorithm and the continual increase in computing power, the feasibility of breaking the SHA-1 hash will increase over time. Internet browsers and Certificate Authorities (CAs) have already started to phase out SHA-1 in favour of the new SHA-2 algorithm. However, recent announcements from Google about depreciating support for SHA-1 based certificates with an expiry date in 2016 or later means that you will have to take action now to make sure your SSL setup is not affected by the accelerated transition. This article offers you more information on how this will effect your SSL setup and how you can move to SHA-2 certificates.

As of 2014, SHA-1 is still acceptable, but with the continual increase in computing power, the security of SHA-1 will become a concern in the future.

As your security partner, QualitySSL has already made SHA-256 the default hash algorithm for all new QualitySSL Certificates since September 2014.

Important Dates

As part of their SHA-2 migration plan, Google, Microsoft and Mozilla have announced that they will stop trusting SHA-1 SSL certificates. Google will begin phasing out trust in SHA-1 certificates by the end of 2014, while Microsoft and Mozilla will begin phasing out trust for SHA-1 certificates in 2016.

SHA-2 Compatibility

The good news is that most commonly used operating systems, browsers, mail clients and mobile devices already support SHA-2. We have put together a compatibility list for known SHA-2 support, as there are some older operating systems such as Windows XP SP2 that do not currently support SHA-2.

The following list gives an overview of operating systems/browsers that currently support SHA-2:

The following list gives an overview of servers that currently support SHA-2:

Find and replace SHA-1 certificates for Free

We have contacted all QualitySSL customers that have certificates that expire in 2016 or later, as those certificates will be affected by the accelerated SHA-2 transition.

As a QualitySSL costumer you can get your QualitySSL certificates re-issued with SHA-256 at no cost. All you have to do is generate a new CSR and email it to support@qualityssl.com.

Please Note: Re-issuing a certificate requires the completion of the validation steps before the certificate becomes available, so please plan accordingly.

In case you have a certificate from another vendor, you can use our SSL Server Test to to check if your SSL certificate uses SHA-1 and if you decide to re-place the certificate with a new QualitySSL certificate then email your QualitySSL order number to sales@qualityssl.com and we will add 3 months to the lifetime of your new SHA-256 certificate for free.

Can you still get an SHA-1 certificate if you need it?

Yes, until December 2015 you may contact support@qualityssl.com with your order number and let us know that you want the certificate to be issued with SHA-1. Please note that SHA-1 certificates will be restricted to a lifetime of 1 year.

For additional information visit:

Google sunsetting SHA-1
Microsoft SHA1 Deprecation Policy
Mozilla Phasing Out Certificates with SHA-1 based Signature Algorithms

Questions ?

Please feel welcome to contact us by

    E-mail support@qualityssl.com

    Phone +45 30 29 19 09