24/7 Support (425) 274-4500 | Submit a Ticket | Who is my Reseller?

Understanding SHA-2

Article Number: KB 1656

Product: Value Added Services

Audience:eNom Reseller, eNom Central, Bulk Register

Problem

What is SHA-2? Why should I use SHA-2?

Solution

The following frequently asked questions (FAQs) should explain SHA-2.

What is SHA-2?

SHA stands for “secure hash algorithm” and it is an algorithm that is used to generate SSL certificates. SSL Certificates are used by web browsers to verify the authenticity of a webserver.

Currently most SSL certificates rely on the SHA-1 algorithm for validation. The SHA-1 algorithm was initially introduced 20 years ago and is targeted for use by computers from that time. Modern computing will soon advance to the point where the SHA-1 algorithm will become insecure.

To avoid any potential security issues that might arise from using an old algorithm, companies such as Microsoft and Google announced that they will be deprecating the use of SHA-1 and will start using a new and more secure algorithm, named SHA-2.

Therefore, you should start planning to gradually migrate all of your webservers to use SHA-2 SSL certificates.

What will happen if my site has a SHA-1 SSL certificate?

Customers using the Chrome browser to access secure websites may experience negative visual security indicators if the SHA-1 certificates are valid beyond December 31, 2015. If they are on Windows, they will not be able to access sites with SHA-1 certificates after January 1, 2017.

Starting December 2014 (Chrome version 39+ ):

  • Customers using Chrome version 39 or higher and SHA-1 certificates that expire between June 1st, 2016 and December 31st, 2016 will see a yellow triangle in their Google Chrome browser (“secure but with minor errors”).
  • Customers using Chrome version 40 with SHA-1 certificates that expire on or after 1 January 2017 will be treated as “neutral, lacking security”.
  • Customers using Chrome version 41 with SHA-1 certificates that expire any time between January 1st, 2016 and December 31st, 2016 will be treated as “secure, but with minor errors”.
  • Customers using Chrome 41 with SHA-1 certificates expiring after January 1st, 2017will be treated as “affirmatively insecure”.
  • As of January 1 2017, Microsoft will stop trusting SHA-1 SSL certificates.

How do I re-issue my SHA-1 SSL certificate?

Re-issuing a SHA1-SSL certificate will be free. However, the method of the re-issue will vary depending of the type of SSL you currently have.

Before re-issuing your SHA-1 SSL, you should ensure that your webserver supports SHA-2. You can check your server compatibility here.

What do I need to know if I have a COMODO certificate?

If you have purchased a COMODO SSL certificate, please submit a support ticket from your eNom account including a CSR requesting a SHA-2 certificate. We will work with Comodo to generate the SHA-2 certificate for you.

What do I need to know if I have a GeoTrust, RapidSSL or Symantec certificate?

If you have purchased a GeoTrust or a Symantec SSL Certificate, you will be able to reissue a SHA-2 certificate via their online portal by following these steps:

For GeoTrust certificates:

  1. Go to the GeoTrust online portal at https://products.geotrust.com/orders/orderinformation/authentication.do
  2. Generate a Certificate Signing Request (CSR)

For RapidSSL certificates:

  1. Access the RapidSSL User Portal for SSL certificate re-issuance: https://products.geotrust.com/geocenter/reissuance/reissue.do.
  2. Select Request Access against the correct order ID. An e-mail will be sent to the technical contact e-mail address.
  3. Click on the link listed in the e-mail to enter the User Portal, and then click the Reissue Certificate option in the left hand column.
  4. On the next screen, select your Hashing Algorithm, then copy and paste the new CSR.
  5. Select the Subscriber Agreement and click Submit.

After the order is approved the SSL certificate will be re-issued

For Symantec certificates:

  1. Go to Symantec online portal: https://products.verisign.com/orders/orderinformation/authentication.do.
  2. Generate a Certificate Signing Request (CSR).
  3. Access the Symantec User Portal for SSL certificate re-issuance at https://products.verisign.com/orders/orderinformation/authentication.do
  4. Select Request Access against the correct order ID
  5. An e-mail will be sent to the technical contact e-mail address.
  6. Click on the link listed in the e-mail to enter the User Portal, and then click the Reissue Certificate option in the left hand column.
  7. On the next screen, select your Hashing Algorithm, then copy and paste the new CSR.
  8. Select the Subscriber Agreement and click Submit.

After the order is approved the SSL certificate will be re-issued

Can I still purchase SHA-1 certificates?

It depends. Currently all SSL certificates issued by Comodo are based on the SHA-2 root chain, unless your server requests a SHA-1 certificate (these certificates are being issued 1 year only).

Starting December 9th all GeoTrust and Symantec SSL certificates will be SHA-2.

We will start enforcing SHA-2 certificates regardless of the customer’s server request starting January 2015.

Is there a way to re-issue more than one SHA-2 certificate at the same time?

We are currently working with our SSL partners to identify a solution that could address this issue. However, in the meantime please contact our Tech Support or Sales Team at +1-425-974-4688.

More Information

For more information, visit http://www.bulkregister.com/news/847/whats-sha-2-faqs.html#sthash.4D9Ka4ir.dpuf.

Last Updated: October, 2015

 

Still looking for help? Call us at 1-425-274-4500 or click here to open a ticket online.