Home Guides Glossary

Information About Requiring the SHA-2 Hash Function

All SSL certificates using the old SHA-1 hash function need to be re-keyed to use the SHA-2 hash function immediately. SHA-1 is potentially insecure, which defeats the purpose of an SSL certificate.

Additional Information

SSL certificates scramble (or encrypt) communication between your website's server and your visitor's browser in such a way that only they understand what the other is saying. This interference prevents others from eavesdropping on the conversation and picking up things you don't want them to know about: typically secure information like credit card and Social Security numbers. This encryption is done using a hash function.

Though they encrypt different information, code signing certificates also use the same hash function to "sign" executable code when its developer releases it. If the code is tampered with, the hashed signature doesn't work and the user is warned when they try to run it.

The hash function we most commonly used prior to Dec. 23, 2013, was called SHA-1; it has been around since SSL certificates were first developed in the mid-1990s.

However, as computers increase in power, it's becoming more feasible for SHA-1-hashed information to get decrypted. Because of that, Microsoft® is driving a new industry guideline that requires all Certificate Authorities, including us, to begin using SHA-2 as our default hash function. Google is also on board and will have its browser Chrome® begin warning visitors of security issues with certificates using SHA-1.

Does my certificate have to use SHA-2?

New certificates we issue with expiration dates after Jan. 1, 2017, can only use SHA-2.

Code-signing certificates with expiration dates after Dec. 31, 2015 must also use SHA-2, with the exception that SHA-1 code signing certificates may continue to be used to sign files for use on Windows Vista and earlier versions of Windows. You can find more information in Microsoft's article Windows Enforcement of Authenticode Code Signing and Timestamping.

Certificates that have already been issued do not need to begin using SHA-2, but we highly recommend it. Moving over to it now future-proofs and improves the security of your server. You can switch your hash function to SHA-2 by simply re-keying your certificate. For more information, see Rekey certificate.

Domain Registration

Pay less for website domain names. Register your own .com, .net or .org for as low as $10.18 per year. We have everything you need to get online with your new domain.

Website Builder

Build an amazing website in just under an hour with Website Builder. Take advantage of designs created just for your industry and then customize them to reflect your one-of-a-kind idea.

Website Security

Protect your website and keep customers safe. Your comprehensive Website Security solution. Get peace of mind by securing your websites. We fix hacks to help prevent attacks.

cPanel Hosting

Everything needed to give your website the high-performance home it deserves.  Protect transactions and secure your customer's data with a SSL Certificate
Copyright © 2005 - 2023.  All rights reserved.  Privacy Policy