Microsoft, Google and Mozilla have all announced various plans to stop supporting SHA-1 SSL certificates after January 1, 2017. As a result, SSL.com began issuing SSL certificates using only SHA-2 (aka SHA-256) as the default hashing algorithm starting September 24, 2014. There are no special flags or indicators needed when generating the CSR (certificate signing request) to obtain a SHA-2 SSL.com certificate.
In addition, all existing SSL.com customers are encouraged to reprocess or rekey their existing certificate orders to upgrade from SHA-1 to SHA-2. As always, rekeying certificates is a free service that SSL.com customers can do as many times (and for as many private keys) as needed.
SHA1 will still remain as an option with a limited expiration date.
On January 1, 2015 the following went in to effect:
- SHA-1 code signing certificates were no longer capable of being issued (SHA-2 only)
- Any SHA-1 certificates (DV, OV and EV) issued from this date will be valid for only 1 year
On January 1, 2016 the following will go in to effect:
- SHA-1 certificates of any kind will no longer be issued.
To highlight SSL.com’s SHA2 implementation rollout:
- All new certificates will default to SHA-2
- SHA-1 will remain an option (with a limited expiration date)
- All existing SHA-1 certificates can and should be re-issued as SHA-2, free of charge