SHA-1 Hash Algorithm Migration for SSL & Code Signing Certificates
Replacing SHA-1 with SHA-2 certificates
Microsoft and Google announced SHA-1 deprecation plans that may affect websites with SHA-1 certificates expiring as early as after December 31, 2015.
According to Google’s blog on “Gradually Sunsetting SHA-1”,
Chrome version 39 and later will display visual security indicators on sites with SHA-1 SSL certificates with validity beyond January 1, 2016. The production release of Chrome 39 is expected to be in November, 2014. The sites will be treated with one of the following indicators: “secure, but with minor errors” (lock with yellow triangle), “neutral, lacking security” (blank page icon) and “affirmative insecure” (lock with a red X). In order to prevent online users on Chrome version 39 and later from experiencing these indicators, SHA-1 SSL certificates expiring after December 31, 2015 must be replaced with SHA-256 (SHA-2) certificates.
Microsoft’s SHA-1 deprecation plan differs in the activation time and browser behavior. Microsoft’s security advisory
on “Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program” informed us that Windows will cease accepting SHA-1 SSL certificates on January 1, 2017. To continue to work with Microsoft platforms, all SHA-1 SSL certificates issued before or after this announcement must be replaced with a SHA-2 equivalent by January 1, 2017.
The SHA-1 deprecation plans also impact SHA-1 intermediate certificates; SHA-2 end-entity certificates must be chained to SHA-2 intermediate certificates to avoid the adverse browser behaviors described above. SHA-1 root certificates are not impacted.
As technology evolves, it is critical to stay ahead of those who wish to defeat cryptographic technologies for their malicious benefit. Symantec is helping to make the Internet more secure by proactively enabling, promoting, and elevating strong cryptographic standards within SSL/TLS and code-signing certificates. As part of this effort, Symantec has made available SHA-2 replacement certificates at no additional charge to our customers.
The initiative to migrate from SHA-1 to SHA-256 (SHA-2) is the next proactive phase to better secure websites, intranet communications, and applications. Organizations need to develop a migration plan for any SHA-1 SSL and code signing certificates that expire after December 31, 2015.
Here are some resources to help with the migration: