DigiCert released a free tool which helps system administrators analyze their use of SHA-1 hashing algorithms across all domains and subdomains and map out a path for SHA-2 migration.
Google’s announcement that it would accelerate deprecation of SHA-1 certificates, including giving untrusted warnings to sites with SHA-1 certificates that expire in 2016, makes it necessary for many administrators to migrate to SHA-2 by as early as November or risk their customers receiving downgraded trust indicators in Chrome.
Using the DigiCert SHA-1 Sunset Tool, administrators can determine validity periods for their SHA-1 SSL certificates and receive information about how Google’s new policy will affect user interaction with these certificates. DigiCert issues new certificates with SHA-2 by default and has done so for nearly a year. For those choosing to migrate their existing SHA-1 to a new DigiCert-issued SHA-2 certificate, DigiCert will provide a free replacement matching the length of the existing certificate licensing term, regardless of whether or not they are a DigiCert customer.
“With the busy holiday shopping season nearing and the threat of a downgraded user trust experience looming for Chrome users, DigiCert is taking extra steps to help ease the burden of accelerated SHA-2 migration timelines for administrators,” said DigiCert CEO Nicholas Hales. “Our new SHA-1 Sunset Tool saves time and effort by providing a comprehensive analysis of an organization’s certificate landscape, including where SHA-1 certificates exist, which software and hardware support SHA-2, and a review of how Google’s new timelines may affect any given site. We also understand that SHA-2 migration involves costly system and device upgrades for organizations and so we’re offering to match for free the remaining term of any existing SHA-1 certificate that is converted to SHA-2.”
Some key timelines are important to keep in mind regarding Google’s SHA-1 deprecation:
- November 2014 – SHA-1 SSL Certificates expiring any time in 2017 will show a warning in Chrome.
- December 2014 – SHA-1 SSL Certificates expiring after June 1, 2016 will show a warning in Chrome.
- Q1 2015 – SHA-1 SSL Certificates expiring any time in 2016 will show a warning in Chrome.
Additionally, Microsoft has announced the following SHA-1 deprecation timelines:
- January 1, 2016 – Certificate Authorities must stop issuing new SHA-1 SSL and Code Signing Certificates.
- Microsoft will stop trusting SHA-1 Code Signing Certificates without time stamps.
- January 1, 2017 – Microsoft will stop trusting SHA-1 SSL Certificates.