Upgrade your SSL certificate to SHA-256

Upgrade your SSL certificate to SHA-256

22 October 2014 by in Hosting Security

SSL Certificates are used to protect internet connections by encrypting data and validating the identity of the other party. The method of identification is partly determined by the signing algorithm. For security reasons, the old SHA-1 algorithm is being replaced by SHA-256.

SSL Certificates are used to protect internet connections by encrypting data and validating the identity of the other party. The method to establish the identity of the party who signed the certificate (the Certificate Authority or CA) is determined by the signing algorithm. In response to advice from The National Institute of Standards and Technology (NIST), all major browser manufacturers and CA’s have decided that the dominant SHA-1 signing algorithm should no longer be considered safe enough for use in SSL. From 2014 on, most CA’s are now supplying SSL certificates that use the newer SHA-256. Browsers have already implemented the new SHA-256 algorithm and will begin dropping support for SHA-1 in the near future.

What does this mean?

When browsers will begin dropping support for SHA-1, this will have an effect on sites that use SSL certificates that still use it. The first step will be a warning message to the user, followed later by the website actually being blocked. The current planning is as follows:

  • Microsoft will stop supporting SHA-1 code signing certificates in Internet Explorer from 2016 onward and in 2017 for SHA-1 SSL certificates. In July 2015, these dates will possibly be revised.
  • Google will start showing warnings from the end of September 2014 in Chrome version 39 for SHA-1 certificates that remain valid after 1 January 2017. Each version will show a more serious warning.
  • Mozilla will also start rejecting SHA-1 certificates in Firefox within a few months for those that are valid after 2016.
Old (SHA-1)
Google Chrome warning progression

At the moment, we ask our customers which type of certificate they want when they request a new certificate or reissue an existing one. However, we highly advise SHA-256 unless they expect many of their users to use really old browsers and devices. Because some older browsers and operating systems do not support SHA-256, this might still be a reason to use the older algorithm.

SHA-256 is supported by browsers as shown below (complete list):

  • Internet Explorer 7+
  • Google Chrome 26+
  • Mozilla Firefox 1.5+
  • Apple Safari 5+
  • Opera 9.0+
  • Konqueror 3.5.6+

How to upgrade your certificate

If you have an SSL certificate registered with Cyso that uses SHA-1, we recommend you upgrade to SHA-256. It’s safer and you’ll ensure your users and clients will not be confronted with warnings and errors in the future. We can upgrade your certificate free of charge.

If you’re not sure what type of signing algorithm your certificate uses, you can check it here.
Just supply the host or domain name of your SSL certificate and wait for the results.
You can also check the signing algorithm of an SSL certificate in your browser.

sha265 x sha1
Visual difference between the old (SHA-1) and new (SHA-256)

If the results show that you’re using SHA-256, there’s no need to do anything. Your certificate is up-to-date. If you’re using SHA-1, we recommend you upgrade; especially if you’re using a certificate that is valid until after 2016.

Please contact our service desk to request and perform the upgrade.

If you’d like to read more about this subject, these sources might be of interest:

Call me back