E-Commerce Solutions

Transitioning your certificates to the stronger SHA-2 hashing algorithm

Background

The SHA family of hashing algorithms were developed by the National Institute of Standards and Technology (NIST) and are used by certificate authorities (CAs) like Comodo when digitally signing certificates that we subsequently issue to end entities.

The most popular of these hashing algorithms today is SHA-1, which was widely adopted by CAs as the successor to the MD5 algorithm because it represented a huge advance in cryptographic security. Now, due to the ever present requirement to strengthen processes and techniques against a background of constantly improving computational power, it is the turn of SHA-1 to be replaced with its successor - SHA-2.

This page outlines important dates regarding the deprecation of SHA-1 over the coming years and the part Comodo will play in ensuring our customers and partners make a seamless transition to SHA-2 based certificates.

Microsoft's SHA-1 deprecation plan (all Microsoft products, including Windows® and Internet Explorer®)

January 1 2016 Microsoft ceases to trust Code Signing Certificates that use SHA-1
January 1 2017 Microsoft ceases to trust website SSL Certificates that use SHA-1
July 2015 Microsoft will conduct a status review and might accelerate the two dates above

Microsoft's official policy statement is reproduced at the end of this page.

How Does this Affect Me?

If you have a SHA-1 based certificate which expires after the dates listed above then you need to have it replaced with a SHA-2 version before the deadline. SHA-1 based certificates will continue to be trusted by Microsoft® software up until the dates listed above, but not afterwards. After these dates have passed, Microsoft software such as Internet Explorer® and Windows® will reject code signing and SSL certificates that use SHA-1.

Although Microsoft is the first to explicitly name an end-of-life timescale for SHA-1, it is likely that other major vendors such as Mozilla, Google, Apple and Opera will follow suit in the coming months. Comodo, along with all other major CA's in the Certificate Authority Security Council, strongly advises our customers and partners to plan on upgrading their certificates to SHA-2 as soon as possible.

Comodo's SHA-2 transition plan

1st April 2014 Comodo continue to offer a free certificate re-issuance program for SSL.

All existing SSL customers can have their SHA-1 SSL certificate replaced with a SHA-2 equivalent by logging into their account, locating the certificate order and using the existing 'Replace Certificate' facility. Please make sure to supply a SHA-2 CSR (or select the 'SHA-2' option under 'Hash Algorithm' on the certificate order form).
April 2014 Comodo will present SHA-1 and SHA-2 purchase options at every point of sale.

We will combine this with marketing and customer outreach campaigns aimed at educating new and returning customers that they should, if possible, choose the SHA-2 option. While SHA-1 may presented as the default ordering option at first, this will be flipped to SHA-2 in due course and we will eventually remove the SHA-1 option entirely.
April 2014 Comodo will support only SHA-2 on all 3 year code signing certificates. We will also confirm policies at this time regarding 2 year SHA-1 code signing certificates.
April 2014 Comodo will support only SHA-2 on all 4 year SSL certificates. We will also confirm policies at this time regarding 3 year SHA-1 SSL certificates.
May 2014 Comodo will support automated, on-demand re-issuance of code-signing certificates. Customers will be able to easily replace SHA-1 code-signing certificates with SHA-2 versions by logging into their accounts.
January 1 2016 Comodo will no longer issue new SHA-1 based code signing or SSL certificates.

This date is subject to change based on the Microsoft guidelines.

SHA-2 Compatibility Notes

This is a list of popular software that supports SHA-2:

  • Windows XP 3 and above (including Windows 8.1, 8.0 and Vista)

    Unfortunately XP SP2 and older do not support SHA-2. However, the vast majority of XP users are already updated to SP3 at the time of writing and this figure will be insignificant by the time the deadlines arrive. Microsoft have also declared XP end-of-life in 2014 and the OS will no longer be officially supported.
  • Windows Server 2003 and above
  • Apple Mac OSX 10.5 and above
  • Oracle Java 1.4.2 and above
  • Mozilla Firefox 1.5 and above
  • Opera 9 and above

If you have a particular piece of software that you have concerns over, we would suggest contacting the software vendor to see if they have, or are planning to offer, SHA-2 support.

Comodo have a test site that uses a SHA-2 certificate. You can test software and devices against this URL to attempt to determine SHA-2 compatibility: https://sha256rsa.comodoca.com

Microsoft - SHA1 Deprecation Policy

The following, italicized, text was taken from
http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0.aspx on March 5th 2014.

There will be separate time-lines for discontinuing SHA1-based SSL and code signing certificates.

  • CAs must stop issuing new SHA1 SSL and Code Signing certificates by 1 January 2016.
  • For SSL certificates, Windows will stop accepting SHA1 certificates by 1 January 2017. This means any SHA1 SSL certificates issued before or after this announcement must be replaced with a SHA2 equivalent by 1 January 2017.
  • For code signing certificates, Windows will stop accepting SHA1 signed code and SHA1 certificates that are time stamped after 1 January 2016. SHA1 signed code time stamped by an RFC 3161 Time Stamp Authority before 1 January 2016 will be accepted until such time when Microsoft decides SHA1 is vulnerable to pre-image attack.
  • The Program will no longer accept for distribution new root certificates with code signing use supporting SHA1 or RSA 2048. New code signing root certificates must support SHA2 and RSA 4096.

© 2014 Microsoft Corporation. All rights reserved.

Further Reading


About Comodo

The Comodo companies are leading global providers of Security, Identity and Trust Assurance services on the Internet. Comodo CA offers a comprehensive array of PKI Digital Certificates and Management Services, Identity and Content Authentication (Two-Factor - Multi-Factor) software, and Network Vulnerability Scanning and PCI compliance solutions. In addition, with over 10,000,000 installations of its threat prevention products, Comodo Security Solutions maintains an extensive suite of endpoint security software and services for businesses and consumers.

Continual innovation, a core competence in PKI and a commitment to reversing the growth of Internet-crime distinguish the Comodo companies as vital players in the Internet's ongoing development. Comodo, with offices in the US, UK, China, India, Romania and the Ukraine, secures and authenticates the online transactions and communications for over 700,000 business customers and millions of consumers, providing the intelligent security, authentication and assurance services necessary for trust in on-line transactions.

Comodo Security Solutions, Inc.
1255 Broad Street
STE 100
Clifton, NJ 07013
United States
Tel : +1.877.712.1309
Email: EnterpriseSolutions@Comodo.com

Comodo CA Limited
3rd Floor, 26 Office Village
Exchange Quay, Trafford Road
Salford, Greater Manchester M5 3EQ
United Kingdom.
General Enquiries: Tel: +44 (0) 161 874 7070
Partner Validation/Support: Tel: +44 (0) 151 554 9055
Fax : +44 (0) 161 877 1767

For additional information on Comodo - visit http://www.comodo.com.