Migrate to SHA-2 SSL Certificates – A Step-by-Step Migration Guide
Many organizations urgently need to upgrade to SHA-2 (also known as SHA-256) SSL certificates in conjunction with updated federal and PCI compliance standards currently in place, as well as to meet Microsoft’s and Google’s SHA-1 deprecation policies set to begin in November 2014.
SHA-1 has been in use among commercial certification authorities (CAs) since the late 1990s, and today accounts for the overwhelming majority of digital certificates in use. As of June 2014, SHA-1 SSL certificates accounted for over 98 percent of certificates issued worldwide.
Recent advances in cryptographic attacks upon SHA-1 have led to the decision that the industry must move to prohibit continued issuance of SHA-1, but also transition to SHA-2 certificates, which are exponentially more secure. With SHA-2 certificates now available and widely supported by browsers and servers, and the technical deadline for replacement fast approaching, organizations need to establish a migration path and process to ensure that there are no service disruptions or compromises of their security posture.
Failure to migrate to SHA-2 in a timely manner will result in browsers not displaying content properly and end-users receiving security warnings. This often causes users to abandon a site or transaction or call support services such as helpdesks or customer service. System outages, if certificates are inappropriately replaced, are also a possibility.
The plan for replacement and issuance of new certificates will require the coordination of people, process and technology across an organization. This paper will describe the technical and business impact of SHA-1 migration as it pertains to SSL certificates only. It will outline a recommended migration path to minimize the cost and operational impact of replacing affected SSL certificates.
For an in-depth breakdown of how to develop a successful transition to SHA-2, download, “A Migration Guide to SHA-2 SSL Certificates: Avoiding pitfalls, meeting critical deadlines and eliminating service disruptions during SHA-1 certificate deprecation.”Open Link