SHA-1 SSL Certificates
SHA-1 was a very popular hashing algorithm used for SSL certificates but is now considered to be insecure. In 2012, a report indicated that it has now become possible to break SHA-1 with enough processing power. In November 2013, Microsoft announced that they wouldn’t be accepting SHA1 certificates after 2016. Microsoft and Google also announced plans to deprecate certificates using SHA-1. For full security in modern browers, it is essential to upgrade any old certificates using SHA-1 to a newer hashing algorithm such as SHA-256.
Switching from SHA-1 Certificates
You will first need to find all certificates in your environment that are using SHA-1 Certificates. You can use our SSL Checker or a tool like DigiCert's SHA-1 Sunset Tool or Symantec's SSL Toolbox if you have a lot of certificates. Once you've found the certificates, you'll just need to generate a new CSR and send the CSR to your certificate provider to re-issue or replace the certificate. You provider will issue a new certificate using a SHA-2 hash algorithm that you can install on your server. Most providers will do this for you at no cost.
SHA-1 Certificate Compatibility
Unfortunately, SHA-2 algorithms aren't supported on several older platforms and devices. For full security, you will need to upgrade those devices and platforms before you can implement new SHA-2 certificates. If you are unable to upgrade that part of your environment immediately, Secure128 offers the ability to issue a SHA-1 certificate that can be used temporarily until you are able to migrate. Issuing any SSL/TLS certificate off of the Private CA hierarchies (VeriSign PCA3-G1/G2 Root CA) will allow you and your customers to support legacy devices and/or systems that require a SHA-1 certificate. These certificates have the following requirements:
- Symantec SHA-1 Private SSL is a Business Organization Validated Certificate
- Does not support non-FQDNs, internal server names, or private domains
- VeriSign PCA3-G2 and Verisign PCA3-G1 roots only
- Only supports 2048
- Only supports public IP addresses (no private IP addresses)
- Requires organization authentication & domain authorization/ownership
- Available for free during reissue/replacement
- Supports SHA-1 beyond 1/1/2016 (limited to 1 year term)
- Avaliable as SHA-1 full chain & SHA- mixed chain
- Supports only encryption algorithms RSA (Not DSA and ECC)
TLS certificates issued off of these hierarchies are not designed to work with modern browers. Using them with modern browsers could pose a security risk and they will regard these certificates as untrusted.