SHA-2 SSL Certificate Authorities

    Earlier in the article, I talked about what will happen with browser support from Mozilla, Google and Microsoft, the SHA-1 encryption algorithm used to generate SSL certificates and sign them. Let me remind you that Microsoft made it somewhat ultimatum to certification authorities that they should stop using SHA-1 ("CAs must stop issuing new SHA1 SSL ...") and switch to more modern and cryptographic algorithms. And today we’ll look at how the certification authorities themselves reacted to this, and how it will affect the owners of SSL certificates.



    I will provide information from some large certification authorities that they published on their websites:

    GoDaddy
    “Without fail, all SHA-1 certificates are revoked for re-issuance using SHA-2. All new certificates with an expiration date of January 1, 2017 will only use SHA-2. The remaining new certificates will also use SHA-2 Code-signing certificates, which expire after December 31, 2015, must use SHA-2. ”

    Comodo
    “Starting September 8, 2014, Comodo began issuing certificates with SHA-2 by default. Depending on the expiration date of the certificate, the owners of the certificates will be notified of replacing the certificates from SHA-1 with those created using SHA-2.
    The Comodo Certification Authority has also published a schedule of its withdrawal from using SHA-1.

    • September 8, 2014 All current owners of SSL certificates can replace their certificate with SHA-1 with the same, but with SHA-2. You can do this by logging in to your account, going to the order of certificates and using the "Replace Certificate" option.
    • September 8, 2014 Comodo begins issuing SHA-2 certificates by default. But it provides an opportunity to choose a certificate with SHA-1 when ordering, if it is really needed. If the SHA-1 option is not selected when ordering, then a certificate with SHA-2 will be sent.
    • September 22, 2014 Comodo began issuing SSL certificates, which expire after 2016 only using SHA-2.
    • January 1, 2016, Comodo no longer supports signatures or certificates based on SHA-1.


    Comodo reissues certificates that expire after 2016 using the SHA-2 hash algorithm. ”

    Verisign / Symantec
    “Certificate holders should begin re-issuing certificates by November 2014. All certificates with a validity period until January 1, 2016 should be re-issued. SHA-1 can be released, but only for a period until December 31, 2015. "

    Judging by the information on the website https://shaaaaaaaaaaaaaa.com/, which contains the most relevant information on certification authorities, it can be said that for the most part, companies have responded adequately and on time. They offered their customers the opportunity to re-issue already used certificates for free. Some of the centers temporarily left the opportunity to issue certificates using the SHA-1 hash algorithm.

    In addition to the above site, you can check the site’s SSL certificate with a service from Symantec:
    https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp

    Also popular now: