Does migration to SHA-2 have anything to do with Heartbleed bug?
This change is unrelated to the Heartbleed bug.


When is this happening?
The first change will go into effect on November 14, 2014.


Why is this happening?
This change was agreed to jointly by the browser and certificate vendor industry consortium in order to ensure that certificates are replaced in advance of their vulnerabilities being exploited.


What organizations are affected by this change?
All SSL certificates users are impacted.


Are all certificate vendors affected?
Yes. This change affects all vendors issuing certificates. Continued use of SHA-1 certificates will result in warnings in browsers, regardless of the issuing vendor.


What is the difference between SHA-1 and SHA-2?
The encryption hash used in SHA-2 is significantly stronger and not subject to the same vulnerabilities as SHA-1.


Do I need to replace all of my certificates?
All certificates that will be used to secure browser-based communications need to be replaced. Certificates used for other types of applications should be reviewed on a cases-by-case basis.


What types of certificates does this affect?
This affects all types of certificates, regardless of validation method.


What if I’m using EV certificates?
This affects all types of certificates, including extended validation (EV) SSL certificates.


How do I know which certificates to replace?
All certificates used to secure browser-based communications need to replaced. Certificates used for other types of applications should be reviewed on a cases-by-case basis.


When do I need to replace my certificates?
The first change will go into effect on November 14, 2014.


Is there a way to replace all my certificates at once?
It is not advised to globally replace certificates without first reviewing for compatibility.


How long will it take to replace my certificates?
This will depend on the tools available to discover all certificates and then order replacements.

What if they are not on public-facing applications?
Certificates on all servers need should be replaced where possible. Browsers will display warnings regardless of whether the application is internal or external.

Are mobile browsers using this as well?
This is a case-by-case decision by the vendors.

How does this affect mobile apps using SSL?
Mobile applications should be tested to make sure they support SHA-2 certificates.

How do I know whether my website is using SHA-1 or SHA-2 certificates?
Clicking on the certificate details and looking up the “Signature Algorithm” will indicate the type of certificate in use.

How do I find all my SHA- 1 certificates?
Manual tracking systems are generally time-consuming and unreliable. The quickest and most comprehensive way to find all certificates is the use scanning and discovery tools that find certificates from any vendor.

Is anyone using SHA-2 now? Has it been tested?
SHA-2 is currently in use and is compatible with current browsers. It has not been tested for all use cases in all applications.

Do I need to buy new certificates?
Most certificate vendors will not require the purchase of new certificates.

What if the certificate is expiring before the deadline?
If your certificates expire before the deadline, it is advised they be replaced with SHA-2 upon expiration.

What is the best way to migrate my certificates?
That will depend upon your organization. Consult Entrust’s Step-by-Step SHA-2 Migration Guide for details.

Is there anything I need to modify in my applications?
This will depend on whether the application is compatible with SHA-2. It is advised to test all applications for compatibility.

What can we expect from the other browser vendors?
All browser vendors will need to be in compliance with this agreement over time.

Are there any compliance requirements for SHA-2?
U.S. NIST regulations currently require the use of SHA-2. This FAQ will be updated as other requirements emerge.