SSL Certification Centers on Innovations with SHA-2
Earlier in the article, I talked about what would happen to browsers support from Mozilla, Google, and Microsoft, the SHA-1 encryption algorithm used to generate SSL certificates and sign them. Let me remind you, Microsoft has somewhat ultimatum to understand to certification authorities that they should stop using SHA-1 ("CAs must stop issuing new SHA1 SSL ...") and switch to more modern and cryptographic algorithms. And today we will look at how the certification authorities themselves responded to this, and how this will affect the owners of SSL certificates.
I will provide information from some of the major certification centers that they have published on their websites:
Godaddy
“It is mandatory to revoke all SHA-1 certificates for their re-release using SHA-2. All new certificates with a deadline of January 1, 2017 will use only SHA-2. The remaining new certificates will also use SHA-2 Code-signing certificates, whose term expires after December 31, 2015 should use SHA-2. ”
')
Comodo
“Starting from September 8, 2014, Comodo began issuing certificates with SHA-2 by default. Depending on the expiration date of the certificate, the owners of the latter will be notified of the replacement of certificates from SHA-1 to those created using SHA-2.
Also, the Comodo Certificate Authority has published a schedule for its withdrawal from using SHA-1.
Certificates whose expiration date will be after 2016 will be re-released by Comodo using the SHA-2 hashing algorithm. ”
Verisign / Symantec
“Certificate holders should start reissuing certificates by November 2014. Re-issue should be all certificates valid until January 1, 2016. SHA-1 will be available, but only until December 31, 2015. "
Judging by the information on the site https://shaaaaaaaaaaaaaa.com/ , which contains the most relevant information on certification centers, we can say that for the most part, companies have responded adequately and in a timely manner. They offered their customers the opportunity to re-issue certificates that were already used for free. Some of the centers temporarily left the opportunity to issue certificates using the SHA-1 hashing algorithm.
In addition to the above site, you can check the SSL certificate of the site using the service from Symantec:
https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp
I will provide information from some of the major certification centers that they have published on their websites:
Godaddy
“It is mandatory to revoke all SHA-1 certificates for their re-release using SHA-2. All new certificates with a deadline of January 1, 2017 will use only SHA-2. The remaining new certificates will also use SHA-2 Code-signing certificates, whose term expires after December 31, 2015 should use SHA-2. ”
')
Comodo
“Starting from September 8, 2014, Comodo began issuing certificates with SHA-2 by default. Depending on the expiration date of the certificate, the owners of the latter will be notified of the replacement of certificates from SHA-1 to those created using SHA-2.
Also, the Comodo Certificate Authority has published a schedule for its withdrawal from using SHA-1.
- September 8, 2014. All current SSL certificate holders can replace their certificate from SHA-1 with the same one, but from SHA-2. You can do this by logging in to your personal account by going to the order of certificates and using the “Replace Certificate” feature.
- September 8, 2014. Comodo starts issuing SHA-2 certificates by default. But it provides the ability to choose when ordering a certificate with SHA-1, if you really need it. If the order does not select the option SHA-1, then a certificate will be sent with SHA-2.
- On September 22, 2014, Comodo began issuing SSL certificates that expire after 2016 only using SHA-2.
- January 1, 2016. Comodo no longer supports signatures or certificates based on SHA-1.
Certificates whose expiration date will be after 2016 will be re-released by Comodo using the SHA-2 hashing algorithm. ”
Verisign / Symantec
“Certificate holders should start reissuing certificates by November 2014. Re-issue should be all certificates valid until January 1, 2016. SHA-1 will be available, but only until December 31, 2015. "
Judging by the information on the site https://shaaaaaaaaaaaaaa.com/ , which contains the most relevant information on certification centers, we can say that for the most part, companies have responded adequately and in a timely manner. They offered their customers the opportunity to re-issue certificates that were already used for free. Some of the centers temporarily left the opportunity to issue certificates using the SHA-1 hashing algorithm.
In addition to the above site, you can check the SSL certificate of the site using the service from Symantec:
https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp
Source: https://habr.com/ru/post/242061/
All Articles