Moving SHA-1 certificates to the SHA-2 hashing algorithm
While there doesn’t appear to be an immediate present danger, ¶ºÒõ¹Ý strongly encourage administrators to migrate to SHA-2 as soon as feasibly possible.
The following migration guide will help administrators plan and deploy SHA-2 SSL Certificates.
SHA-1 to SHA-2 migration steps
- Check Environment for SHA-2 Certificate Support
The first step is to ensure that your environment, including both software and hardware, will support SHA-2 certificates. Refer to the SHA-2 compatibility page for a list of supported hardware and software.
If parts of your environment will not support SHA-2, you must replace or upgrade those pieces before you can implement new certificates.
- Find All SHA-1 Certificates
Find all of the SHA-1 certificates in your network, regardless of issuer, by using scanning tools like .
- Generate New CSRs for Each SHA-1 Certificate
Generate new Certificate Signing Requests (CSR) for any certificates still using SHA-1 on the server where they are installed.
¶ºÒõ¹Ý provides useful CSR Generators for all major server types that automate the CSR generation process. You can access the ¶ºÒõ¹Ý CSR Generators in the Common Platforms & Operating Systems section of the Create a CSR (Certificate Signing Request) page.
- Replace SHA-1 Certificates with SHA-2 Certificate
To replace your existing SHA-1 certificates with a SHA-2 certificate, you can reissue the certificate, renew the certificate, or purchase a new certificate.
- Install New SHA-2 Certificates
Once you receive your new certificates, install them on your network along with any additional intermediate certificates they require.
The support section of the ¶ºÒõ¹Ý website contains a huge collection of support articles to answer any questions you have about installing certificates in your environment.
If you are using the ¶ºÒõ¹Ý® Certificate Utility for Windows, you can use our innovative Express Install feature that will automate this process, helping your install your certificate with just a few clicks. See SSL Certificate Importing Instructions: ¶ºÒõ¹Ý® Certificate Utility for Windows.
- Test Certificate Installation
The last step is to test your website and make sure that the certificates are installed and working properly. You can use the free ¶ºÒõ¹Ý SSL Installation Diagnostics Tool to find problems. You can also use to ensure that you have not introduced other potential vulnerabilities based on how you configured the certificates.
Replace SHA-1 certificates at no cost
¶ºÒõ¹Ý understands that migrating to SHA-2 can be difficult. To make migrating SHA-1 certificates as simple as possible, we've made several options available at no cost.
To migrate to SHA-2:
You can reissue, extend, or replace. ¶ºÒõ¹Ý certificates come with unlimited free reissues so it’s easy to replace your SHA-1 Certificate with a SHA-2 Certificate.
To re-issue any current ¶ºÒõ¹Ý certificates:
You can log into your ¶ºÒõ¹Ý customer account and while inside your account, follow the instructions.
To renew any current ¶ºÒõ¹Ý certificates:
¶ºÒõ¹Ý customers can also renew an existing certificate to get SHA-2. Starting 90 days before a certificate expires, a renew button appears inside your ¶ºÒõ¹Ý customer account that lets you renew a certificate.
Non-¶ºÒõ¹Ý certificates:
For non-¶ºÒõ¹Ý certificates, you can switch away from your existing SHA-1 certificate and upgrade to a ¶ºÒõ¹Ý SHA-2 certificate at no cost.
