The University should only request SHA-2 SSL certificates going forward. Currently existing SHA-1 SSL certificates are being deprecated and will need to be replaced by a more secure SHA-2 SSL certificate by January 1, 2016.

Reasons for the Change to SHA-2

SHA-1 and SHA-2 are cryptographic algorithms also known as “hashes”. They are used as one of the components in the digital signatures that make secure certificates work. As time passes and new technologies are developed, the existing cryptographic algorithms become relatively weaker as potential attacks evolve due to the availability of increasingly powerful computers and advanced crypto-analysis. Other hash algorithms (e.g., MD5, MD4, and MD2) have already been retired as they are no longer secure against today’s threat capabilities. The time has come for SHA-1 to be retired.

The retirement of SHA-1 has been in sight for a long time. Standards organizations like NIST have been directing the use of SHA-2 for some time now. The recent vulnerability discoveries have crystallized the need for actual dates when SHA-1 support will be retired from popular mainstream browsers and operating systems.

Impact of the Change

Unless SHA-2 SSL certificates are in place by the retirement deadlines, it is possible that users may start to see warning messages in their browsers regarding security of the https site they’re visiting. It is recommended to install a new SHA-2 SSL certificate as soon as is convenient for your browser-based application. According to Certificate Authorities, the transition to SHA-2 is one way that they and browser vendors continue to ensure that encryption standards in use are at least 10 years ahead of the most advanced cryptographic analysis techniques available. SHA-1 will be deprecated altogether by mainstream platforms on or before January 1, 2016.

Does Anything Still Need SHA-1 Certificates?

Some older browsers and operating systems may not support SHA-2 SSL certificates, one example is Microsoft Windows XP Service Pack 2 and below.  Most mainstream web browsers and operating systems such as have been compatible with SHA-2 for quite some time.

Examples of older browsers that support SHA-2 include Internet Explorer 6.0+ and Apple Safari from Mac OS X 10.5+ and older operating systems such as Mac OS X 10.5, Windows XP SP3, Windows Server 2003 SP1, and Apache 2.0.63 have all been reported as compatible with the stronger SHA-2 cryptographic algorithm.

Next Steps: Expiring SHA-1 Certificates

You will need to request and install a new SHA-2 SSL certificate. In order to be issued a SHA-2 certificate, you will need to request and install a new SHA-2 SSL certificate; renewal of existing SHA-1 certificates will not automatically upgrade your certificate to the new SHA-2 standard. The process for obtaining SHA-2 certificates is the same as it was for SHA-1 certificates.