Networking, SHA-1 Certificates

Support for SHA-1 signed certificates ends January 1, 2016

Support for SHA-1 signed certificates ends January 1, 2016

As Technology Services announced in September, Microsoft, Google, and Mozilla have all announced that they will stop accepting SHA-1 signed certificates after January 1, 2016. As a result, one or more of your SHA-1 signed certificates may need to be reissued prior to this deadline in order to comply with the new hash requirements. In addition, if you or your customers use the Google Chrome browser, you may have already noticed a security warning in your address bar for certain websites secured by SHA-1 certificates. Chrome users visiting a website with a certificate that expires after December 31, 2016 and secured with a SHA-1-based signature will now see Google’s “affirmatively insecure” visual indicator (a red HTTPS with a strike-through and an X over a lock in front it). Because of this visual indicator, your customers may question whether their information is adequately protected by a website signed with a SHA-1 certificate. While there is no current Proof of Concept, SHA-1 has been deprecated since 2011 and Google, Microsoft, and Mozilla announced their moves away from SHA-1 in September 2014.

What do I need to do? 

If you have already requested a free reissue of your certificates after 9/24/14, no further action is required on your part. However, if you need to request a new certificate, you can do so by visiting (external link). You can do a free reissue of any existing SHA-1 certificate that has not yet expired. 
Also please remember for planning purposes that ALL certificates issued by Technology Services after 9/24/14 will require the installation of TWO new intermediate certificates. Please see (external link) for the new required intermediates and attribute information.
If you are concerned about whether the change to SHA-2 will affect your legacy systems, please reference the Comodo SHA-2 transition page (external link)

Do I need to do anything special when I generate my CSR?

Depending on your webserver OS, it might be possible to generate a SHA-2 CSR. However, it is NOT necessary to generate a SHA-2 CSR to get a SHA-2 cert back. InCommon will issue these with the SHA-2 hash regardless of which hash was used to generate the CSR. However, please keep in mind that Technology Services can only accept 2048-bit CSRs. 

Is there a way to check my current certificate to see if I need to take action?

Click here for a web-based analyzer (external link) that will look at a current installed certificate. Look at the Signature Algorithm field. If you see "SHA256withRSA" then your certificate has already been updated. 
If you have other questions about this transition, please email the Technology Services Certificate Manager.

Keywords:Certificate   Doc ID:54085
Owner:Networking N.Group:University of Illinois Technology Services
Created:2015-07-18 17:15 CDTUpdated:2016-12-19 17:02 CDT
Sites:University of Illinois Technology Services
Feedback:  0   0