SHA-1 Hash Algorithm Migration for SSL & Code Signing Certificates
Replacing SHA-1 with SHA-2 certificates
Microsoft and Google announced SHA-1 deprecation plans that may affect websites with SHA-1 certificates expiring as early as after December 31, 2015.
According to Google’s blog on “Gradually Sunsetting SHA-1”,
Chrome version 39 and later will display visual security indicators on sites with SHA-1 SSL certificates with validity beyond January 1, 2016. The production release of Chrome 39 is expected to be in November, 2014. The sites will be treated with one of the following indicators: “secure, but with minor errors” (lock with yellow triangle), “neutral, lacking security” (blank page icon) and “affirmative insecure” (lock with a red X). In order to prevent online users on Chrome version 39 and later from experiencing these indicators, SHA-1 SSL certificates expiring after December 31, 2015 must be replaced with SHA-256 (SHA-2) certificates.
Microsoft’s SHA-1 deprecation plan differs in the activation time and browser behavior. Microsoft’s security advisory
on “Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program” informed us that Windows will cease accepting SHA-1 SSL certificates on January 1, 2017. To continue to work with Microsoft platforms, all SHA-1 SSL certificates issued before or after this announcement must be replaced with a SHA-2 equivalent by January 1, 2017.
The SHA-1 deprecation plans also impact SHA-1 intermediate certificates; SHA-2 end-entity certificates must be chained to SHA-2 intermediate certificates to avoid the adverse browser behaviors described above. SHA-1 root certificates are not impacted.
As technology evolves, it is critical to stay ahead of those who wish to defeat cryptographic technologies for their malicious benefit. Symantec is helping to make the Internet more secure by proactively enabling, promoting, and elevating strong cryptographic standards within SSL/TLS and code-signing certificates. As part of this effort, Symantec has made available SHA-2 replacement certificates at no additional charge to our customers.
The initiative to migrate from SHA-1 to SHA-256 (SHA-2) is the next proactive phase to better secure websites, intranet communications, and applications. Organizations need to develop a migration plan for any SHA-1 SSL and code signing certificates that expire after December 31, 2015.
Here are some resources to help with the migration:
Frequently Asked Questions
Q: What will happen if my site has SHA-1 SSL certificates?
A: Online users on Chrome websites may experience negative visual security indicators if the SHA-1 certificates are valid beyond December 31, 2015. If they are on Windows, they will not be able to access sites with SHA-1 certificates after January 1, 2017.
Q: What should I do?
Customers should take inventory of their certificates and plan on migrating affected SHA-1 SSL certificates before November, 2014. Affected SHA-1 SSL certificates are certificates with validity beyond December 31, 2015. Customers are entitled to a credit for any unused validity left on the SHA-1 certificate. If assistance is required, customers may contact the Symantec support team
. SHA-1 certificates can still be issued but they are not to exceed December 31, 2015.
Q: Is there a cost to replace an affected certificate?
A: No, replacements for affected certificates are issued at no additional charge.
Q: Can I get a refund for any unused validity?
A: Yes, any unused validity on a certificate that can’t be transferred to a new certificate is entitled to a unit refund.
Q: Is SHA-1 still safe? Why do customers need to migrate?
A: Certification Authority/Browser (CA/B) Forum and industry leaders are proactively looking for ways to help customers secure their environments and infrastructure. SHA-1 has been a widely accepted industry standard, however, SHA-2 contains a number of improvements to strengthen security. In addition, National Institute of Standards (NIST) has recommended its use instead of
Q: What is Symantec doing in response to this?
A: SHA-2 end-entity and intermediate certificates are currently available. Please review Service Notifications from Symantec for information on how to replace affected certificates.
Q: Does SHA-1 migration apply to code signing certificates?
Yes. Although code signing certificates are not included in Google’s SHA-1 deprecation plan, they are affected by Microsoft’s plan
Q: When should customers migrate?
A: Customers should replace certificates that expire after December 31, 2015 before November 2014.
Q: Can my server accept a SHA-2 Certificate?
A: Please check your server's documentation to ensure it can accept a SHA-2 certificate. If you purchase a SHA-2 certificate and your server fails to support it you have 30 days to apply for unit reimbursement.