Important change announcement - deprecation of SHA-1
The use of the signing algorithm has been deprecated in favor of the newer and more secure SHA-2 algorithm.
Google’s announcement on Sept 5th 2014 accelerated the timeline for browser checking of SHA-1 in web server SSL certificates so that Chrome will display security notices where SHA-1 is encountered. This will incur negative user experience effects for website visitors where the SSL certificate is using SHA-1.
As of 8 September 2015, Comodo will issue SHA-2 certificates by default.
Actions required. Depending on the expiration dates, customers are advised to replace existing SHA-1 certificates with SHA-2 based certificates. Please see the Important Dates section below, paying particular attention to the Google Chrome timeline.
New certificates issued by Comodo after Monday Sept 22nd, 2015 will be signed with a SHA-2 base intermediate certificate. This intermediate certificate needs to be present in the keystore of the web server.
Customers need to ensure they install the entire certificate chain, including intermediary certificates, and not just the end-entity server certificate. This is best practice for installing any SSL certificate.
Comodo's SHA-2 transition plan
SHA-1 and SHA-2 are cryptographic 'Hash' algorithms. They are used as one of the algorithms in the digital signatures that make certificates work.
Over time, cryptographic algorithms become relatively weaker as they are degraded by potential attacks through both the availability of increasingly powerful computers and advanced cryptanalysis.
Older hash algorithms such as MD2, MD4 and MD5 have already been discontinued since they are not adequately secure against realistic threats today. Now SHA-1 is going the same way.
More details are available at:
Why was this change made NOW?
The end has been in sight for SHA-1 for a long time. NIST have been directing the use of SHA-2 for some time. The recent announcements have crystallized actual dates when support for SHA-1 will be removed from mainstream operating systems and browsers.
Why should you care?
Unless you ensure you certificates are SHA-2 compliant by the deadlines listed, your customers may begin to see a degraded UI in their browsers. We recommend you get an SHA-2 based replacement certificate as soon as convenient.
The move to SHA-2 is part of a continued effort by CA's and browser vendors to ensure that the encryption standards in use at any point in time are at least 10 years ahead of the most advanced cryptanalysis techniques. SHA-1 will be de-supported altogether by mainstream platforms that you care about before 2017.
But does anything still need SHA-1?
Microsoft Windows XP SP2 and below does not support SHA-2. Many unlicensed copies of Microsoft Windows use this old version (XP SP2) because Microsoft's license enforcement program (Windows Genuine Advantage) was not introduced until SP3.
What if you already have an SHA-1 certificate that expires in or after 2016?
You will always be able to get a free replacement SHA-2 certificate from Comodo.
How to identify SHA-1 certificates using CCM
Please see the attached .pdf file
Announcements of removal or restriction of SHA-1 support
Microsoft. The following, italicized, text was taken from http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0.aspx on March 5th 2014.
There will be separate time-lines for discontinuing SHA1-based SSL and code signing certificates.
Google. Google’s plans for changing the UI of Chrome when a SHA-1 certificate is detected is outlined in their blog post here:
If you have any questions and/or issues, please contact Support:
US: +1-888.266-6361 ; Option 3, Option 1
INTL: + 1-703-581-6361; Option 3, Option 1