Internet Explorer, Chrome, and Firefox will discontinue the use of HTTPS/SSL certificates created with SHA-1 encryption and will require the use of SHA-2 secure hash.  Google has announced that SHA-1 encrypted SSL certificates will be depricated beginning with Chrome 39 which was released to the public in November 2014. Chrome will use icons in the address bar to visually indicate degraded security. The visual indicators are sensitive to the certificate expiration date, with certificates expiring in 2017 targeted first, then those expiring in 2016. Certificates expiring in 2014 and 2015 will not be impacted.

By 1/1/2017, all major browsers will reject SHA-1 certificates.

Who is impacted?

Users of your websites may experience negative visual security indicators if the SHA-1 certificates are valid beyond December 31, 2015. Google Chrome users will begin seeing these warning beginning November 2014. Additionally, if a user is on Windows, they will not be able to access sites with SHA-1 certificates after January 1, 2017.

Recommended Actions

Web site/Service owners using HTTPS/SSL Certificates should take inventory of their certificates and plan on migrating affected SHA-1 SSL certificates to SHA-2 SSL.  Based upon the expiration date year of your certificate, the following course of action is recommended:

Expiration YearRecommended Action2015Request a new SHA-2 certificate as your expiration date approaches2016Request a new SHA-2 certificate before January 20152017Request a new SHA-2 certificate now

Upgrade Steps

1. Review SHA-2 Compatibility

Most browsers, platforms, mail clients, and mobile devices already support SHA-2. However, some older operating systems such as Windows XP pre-SP3 do not support SHA-2 encryption.  Ensure your environment, including hardware and software, will support SHA-2 certificates.  Refer to the SHA-2 Compatibility page for a list of supported hardware and software.

2. Determine Certificate Expiration Date

If you are using certificates issued by InCommon/Comodo, you can use the Certificate Manager to generate a custom CSV of all of your certificates expiring on or after January 1, 2016.  To do this, click the 'Reports' tab, use the pull down menu to select Reports -> SSL Certificates, Current Status -> Issued, and Date Selection -> Expiration Date.  Set the To: date field to January 1, 2016.

You can verify this by browsing to your web site and clicking the icon in your browser to view the SSL certificate. On the details screen for the certificate look for the "signature hash algorithm". You can also use tools like OpenSSL to view the details of a certificate.

3. Replace SHA-1 Certificates with SHA-2 Certificates

To obtain a certificate from InCommon/Comodo, simply select one of the SHA-2 Certificate options in the 'Type' pull down menu.  You must re-enroll to obtain a SHA-2 certificate.  You cannot use the replace function.

4. Download and install new certificates

The issuer chain for SHA-2 differs from SHA-1. Incommon/Comodo recommends you update the Certificate chain on your server to make the SHA-2 certificates are trusted.  For further information, see this reference from Colorado State.  If you need SSL cert installation instructions, please see the Comodo knowledgebase.

5. Test Certificate Installation 

 The last step is to test your website(s) and make sure that the certificates are installed and working properly.

If you have questions or need assistance, please complete the InCommon SSL Certificate request form.


Gradually sunsetting SHA-1 (Google)

SHA1 Deprication Policy (Microsoft)

Transitioning your certificates to the stronger SHA-2 hashing algorithm (Comodo)