Upcoming SHA-256 SSL Certificate Requirements

Most web sites, e-mail servers, database servers, and other internet services protect their data with SSL (Secure Socket Layer) certificates to ensure the confidentiality and authenticity of the site and its data. An SSL certificate is a small data file that associates a cryptographic key to an organization or end user. Any time you use a browser to access a web site with the https:// protocol, the server is using an SSL certificate to authenticate the identity of the server and secure that connection.

One of the recent security shifts in the IT industry is the transition from signing SSL certificates with the SHA-1 hashing algorithm to signing them with the more secure SHA-256 hashing algorithm. The transition is being spurred by recent advances in cryptographic attacks on SHA-1, demonstrating that SHA-1 is becoming more susceptible to collision and pre-image attacks.

Already some web browsers are alerting users with a warning for sites which have not yet moved to the newer SHA-256 based certificates. In January of 2017, all web browsers will stop trusting all SHA-1 based certificates. At the same time, Microsoft Windows will no longer recognize certificates using the older SHA-1 certificates for any operations. This means if you run a server with SSL certificates, you should start upgrading your certificates to SHA-256 as soon as possible, and at the very latest by the end of 2016. Waiting until the end of 2016 is a bad idea, since it will mean (a) months of annoying warnings to your users, (b) some web browsers, systems or applications not working with your sites, and (c) your being caught in the rush of last minute updates, which will no doubt slow down the certificate authority's ability to quickly issue new certificates.

Most Certificate Authorities are already issuing SHA-256 certificates. Some will even allow you to upgrade your old certificate to SHA-256 for free (if you pay a provider for your certificates). Most common web browsers, mail clients, web and mail servers, and mobile devices already support SHA-256, allowing you to immediately and safely upgrade your certificates and benefit from the higher security it offers now rather than later. We encourage anyone who has servers using SSL certificates and who has not already converted to SHA-256 to do so as soon as possible.

As always, we can help assist you with this transition, should you need help. For help or information, please contact the CNS Help Desk at https://www.cns.utexas.edu/help/ or help@cns.utexas.edu.

Written by Eric Rostetter, Senior System Administrator
Questions or comments? The best and easiest way to contact us is via the CNS Help Desk form.