What You Need to Know About SHA-1 and SHA-2
The signature algorithm of a certificate is often still based on SHA-1. This algorithm is considered as insecure today and therefore such a certificate should be reissued with SHA-2. Updating is fairly simple and should be done as long as browsers still accept SHA-1.
A short intro and why SHA-1 isn't good enough anymore
SHA stands for "secure hash algorithm". It's a cryptographic hash function designed by the United States National Security Agency (NSA). The SHA algorithms are categorised into four sets: SHA-0, SHA-1, SHA-2, and SHA-3.
SHA-1 was introduced in 1995. SHA-1 generates a 160-bit hash value also known as the message digest. It was considered as safe back then, but not anymore. Cryptographic algorithms became relatively weaker since they are degraded by possible attacks by increasingly powerful computing power and better cryptanalysis.
SHA-2 has then been introduced to address the weaknesses of SHA-1. The SHA-2 family includes six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits (SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256).
SHA-1 was often used as the signature algorithm for certificates. There are still certificates out there, which have been issued years ago (with SHA-1). These certificates need to be reissued. Why? Because browsers will stop trusting SHA-1-based certificates. If your customers are complaining about HTTPS problems, it's possible that the issue is related to this topic here (especially if the customer has just recently updated the browser).
Support of SHA-1 certificates
All common browsers will discontinue the support for SHA-1-based certificates.
- Chrome: Depending on the Chrome version and the expiry date of the certificate. The browser might not accept the certificate anymore! More details here.
- Firefox: They will start showing warnings as early as 2015. Check out the timeline here.
- Internet Explorer: The timeline of the IE is similar to the other browsers.
If your certificate is still based on SHA-1, we recommend reissuing it as soon as possible. The only exception might be if the certificate expires in a few months and you need to do it anyway when it expires.
How to update your certificate to SHA-2
The update process is simple. All that needs to be done is reissuing the certificate. If you are using Shared SSL, you don't need to do anything (we will take care of it). This topic is only relevant to you if you're using Custom SSL (this means you're in charge of providing the certificate). Make sure to not just update the Custom SSL certificate that you deploy in your KeyCDN Zone, but also your certificate deployed on your origin server.
How to check what signature algorithm you're using for your certificate? Go to SSLLabs and test your URL. Look for "Signature algorithm" in the test report. Here's an example of a certificate already based on SHA-2:
How to get a new certificate? A certificate vendor allows you to reissue the certificate in their dashboard. You simply need to generate a new CSR and reissue the certificate. A certificate that you order today should automatically be based on SHA-2. Once you get the certificate, you only need to upload it to the KeyCDN dashboard and you're done.