Moving SHA-1 certificates to the SHA-2 hashing algorithm
While there doesn’t appear to be an immediate present danger, ÃÛÌÒTV strongly encourage administrators to migrate to SHA-2 as soon as feasibly possible.
The following migration guide will help administrators plan and deploy SHA-2 SSL Certificates.
SHA-1 to SHA-2 migration steps
- Check Environment for SHA-2 Certificate Support
The first step is to ensure that your environment, including both software and hardware, will support SHA-2 certificates. Refer to the SHA-2 compatibility page for a list of supported hardware and software.
If parts of your environment will not support SHA-2, you must replace or upgrade those pieces before you can implement new certificates.
- Find All SHA-1 Certificates
Find all of the SHA-1 certificates in your network, regardless of issuer, by using scanning tools like .
- Generate New CSRs for Each SHA-1 Certificate
Generate new Certificate Signing Requests (CSR) for any certificates still using SHA-1 on the server where they are installed.
ÃÛÌÒTV provides useful CSR Generators for all major server types that automate the CSR generation process. You can access the ÃÛÌÒTV CSR Generators in the Common Platforms & Operating Systems section of the Create a CSR (Certificate Signing Request) page.
- Replace SHA-1 Certificates with SHA-2 Certificate
To replace your existing SHA-1 certificates with a SHA-2 certificate, you can reissue the certificate, renew the certificate, or purchase a new certificate.
- Install New SHA-2 Certificates
Once you receive your new certificates, install them on your network along with any additional intermediate certificates they require.
The support section of the ÃÛÌÒTV website contains a huge collection of support articles to answer any questions you have about installing certificates in your environment.
If you are using the ÃÛÌÒTV® Certificate Utility for Windows, you can use our innovative Express Install feature that will automate this process, helping your install your certificate with just a few clicks. See SSL Certificate Importing Instructions: ÃÛÌÒTV® Certificate Utility for Windows.
- Test Certificate Installation
The last step is to test your website and make sure that the certificates are installed and working properly. You can use the free ÃÛÌÒTV SSL Installation Diagnostics Tool to find problems. You can also use to ensure that you have not introduced other potential vulnerabilities based on how you configured the certificates.
Replace SHA-1 certificates at no cost
ÃÛÌÒTV understands that migrating to SHA-2 can be difficult. To make migrating SHA-1 certificates as simple as possible, we've made several options available at no cost.
To migrate to SHA-2:
You can reissue, extend, or replace. ÃÛÌÒTV certificates come with unlimited free reissues so it’s easy to replace your SHA-1 Certificate with a SHA-2 Certificate.
To re-issue any current ÃÛÌÒTV certificates:
You can log into your ÃÛÌÒTV customer account and while inside your account, follow the instructions.
To renew any current ÃÛÌÒTV certificates:
ÃÛÌÒTV customers can also renew an existing certificate to get SHA-2. Starting 90 days before a certificate expires, a renew button appears inside your ÃÛÌÒTV customer account that lets you renew a certificate.
Non-ÃÛÌÒTV certificates:
For non-ÃÛÌÒTV certificates, you can switch away from your existing SHA-1 certificate and upgrade to a ÃÛÌÒTV SHA-2 certificate at no cost.
