Why migrate to SHA-2 TLS/SSL certificates?
As your security partner, DigiCert has made SHA-256 the default for all TLS/SSL certificates issued, and strongly recommends that all customers update their SHA-1 certificates to SHA-2. That’s because SHA-1 has not been considered secure since at least 2006. In fact, NIST deprecated use of SHA-1 in 2011 and disallowed its use for digital signatures in 2013. Cryptanalysts have urged administrators to replace their SHA-1 certificates as the risks associated SHA-1 are greater than previously expected.
How do I quickly find and replace SHA-1 certificates?
The DigiCert CertCentral® cloud-based Discovery tool helps you quickly find and replace SHA-1 TLS/SSL Certificates with a free DigiCert SHA-2 certificate. Our Discovery tool can scan for certificates even inside the most complex distributed networks. We also provide multiple scanning options to uncover and monitor all certificates, private and public, regardless of the Certificate Authority (CA).
TLS/SSH (Secure Shell Keys) Discovery has two components to help you thoroughly scan networks for TLS certificates and SSH keys:
- Cloud scanning – A fast and easy option for finding TLS certificates on public-facing servers. This option requires no installation and can instantly initiate from the CertCentral UI.
- Network scans discover all public and private TLS certificates across complex distributed networks. Thoroughly scan your environment to build reports and have complete visibility of all TLS certificates and SSH keys.
When should I switch to SHA-2?
Google, Mozilla, and Microsoft have already phased out trust for SHA-1 SSL Certificates. In the past, Chrome also showed SHA-1 warnings for sites using SHA-1 certificates. Administrators who have not yet replaced their SHA-1 certificates with SHA-2 certificates should start making the switch now.
In August 2014, Google took an even more aggressive stance stating that Chrome will display warnings starting in November 2014 for sites secured with SHA-1 certificates due to SHA-1 being insufficiently secure. Google’s intent is to help phase out SHA-1 certificates on an accelerated timeline and make the transition smoother than MD5.
In October 2015, an international team of cryptanalysts published research urging administrators to replace their SHA-1 certificates sooner as the risks associated SHA-1 are greater than previously expected. The published findings are theoretical and have not yet been proven in a practical setting. While there doesn't appear to be an immediate danger, we strongly encourage administrators to migrate to SHA-2 as soon as possible.
Administrators should consider the impact this update could have and plan for the following:
- Hardware compatible with SHA-2
- Server software updates supporting SHA-2
- Client software support for SHA-2
- Custom application support for SHA-2
Browsers and CAs have previously encouraged migration to SHA-2 by 2017, however current research should encourage organizations to accelerate their plans to upgrade existing infrastructure to support SHA-2. For more information about SHA-2 timelines, please visit our SHA-2 FAQ.