Executive Summary
The use of the signing algorithm has been deprecated in favor of the newer and more secure SHA-2 algorithm.
Google’s announcement on Sept 5th 2014 accelerated the timeline for browser checking of SHA-1 in web server SSL certificates so that Chrome will display security notices where SHA-1 is encountered. This will incur negative user experience effects for website visitors where the SSL certificate is using SHA-1.
As of 8 September 2015, Comodo (Sectigo) will issue SHA-2 certificates by default.
Actions required. Depending on the expiration dates, customers are advised to replace existing SHA-1 certificates with SHA-2 based certificates. Please see the Important Dates section below, paying particular attention to the Google Chrome timeline.
New certificates issued by Comodo after Monday Sept 22nd, 2015 will be signed with a SHA-2 base intermediate certificate. This intermediate certificate needs to be present in the keystore of the web server.
Customers need to ensure they install the entire certificate chain, including intermediary certificates, and not just the end-entity server certificate. This is best practice for installing any SSL certificate.
September 8, 2014 |
Comodo continues to offer a free certificate re-issuance program for SSL. All existing SSL customers can have their SHA-1 SSL certificate replaced with an SHA-2 equivalent by logging into their account, locating the certificate order and using the existing 'Replace Certificate' facility. |
September 8, 2014 |
Comodo will issue SHA-2 certificates by default. We provide options at the point of sale to allow customers to elect to receive an SHA-1 certificate if they have a particular need of an SHA-1 certificate. If customers do not explicitly select SHA-1, they will receive an SHA-2 certificate where possible. |
September 22, 2014 |
Comodo will support only SHA-2 for any SSL certificate issued after 22nd September which expires after 2016. Comodo will support only SHA-2 for any Code-signing certificate issued after 22nd September which expires after 2015. |
January 1, 2016 |
Comodo will no longer issue any SHA-1 based code signing or SSL certificates. |
SHA-1 and SHA-2 are cryptographic 'Hash' algorithms. They are used as one of the algorithms in the digital signatures that make certificates work.
Over time, cryptographic algorithms become relatively weaker as they are degraded by potential attacks through both the availability of increasingly powerful computers and advanced cryptanalysis.
Older hash algorithms such as MD2, MD4 and MD5 have already been discontinued since they are not adequately secure against realistic threats today. Now SHA-1 is going the same way.
More details are available at:
Why was this change made NOW?
The end has been in sight for SHA-1 for a long time. NIST have been directing the use of SHA-2 for some time. The recent announcements have crystallized actual dates when support for SHA-1 will be removed from mainstream operating systems and browsers.
Why should you care?
Unless you ensure you certificates are SHA-2 compliant by the deadlines listed, your customers may begin to see a degraded UI in their browsers. We recommend you get an SHA-2 based replacement certificate as soon as convenient.
The move to SHA-2 is part of a continued effort by CA's and browser vendors to ensure that the encryption standards in use at any point in time are at least 10 years ahead of the most advanced cryptanalysis techniques. SHA-1 will be de-supported altogether by mainstream platforms that you care about before 2017.
But does anything still need SHA-1?
Microsoft Windows XP SP2 and below does not support SHA-2. Many unlicensed copies of Microsoft Windows use this old version (XP SP2) because Microsoft's license enforcement program (Windows Genuine Advantage) was not introduced until SP3.
There is one estimate of the breakdown of systems incapable of using SHA-1 here.
There is a full list of operating systems, browsers and servers which support SHA-2 on the CA Security Council website here
What if you already have an SHA-1 certificate that expires in or after 2016?
You will always be able to get a free replacement SHA-2 certificate from Sectigo.
How to identify SHA-1 certificates using SCM
Please see the attached .pdf file
Announcements of removal or restriction of SHA-1 support
Microsoft. The following, italicized, text was taken from http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0.aspx on March 5th 2014.
There will be separate time-lines for discontinuing SHA1-based SSL and code signing certificates.
Google. Google’s plans for changing the UI of Chrome when a SHA-1 certificate is detected is outlined in their blog post here:
http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html
If you have any questions and/or issues, please contact Support: