IdenTrust Inc. Logo
Home | My Account | Contact Us  

SUPPORT GENERAL ACES ECA IGC SSL TRUSTID
SSL - FAQs

Support > SSL FAQs


1. Do I need to upgrade my SHA1-signed SSL Certificate?
2. What are the SHA1 and SHA256 algorithms?
3. For Chrome users, my website is presenting some visual warning, is there a security problem with my SSL Certificate?
4. When should I replace my SHA1-signed SSL certificate?
5. How much does it cost to replace my SSL Certificate?
6. Will my users experience problems with a SHA256-signed SSL Certificate?
7. What are the important dates to consider in a migration to SHA256 SSL Certificate?
8. What will the users of my website experience with SHA1-signed SSL certificates?
9. What should I consider when replacing my SHA1-signed SSL certificates?

Back to top

1. Do I need to upgrade my SHA1-signed SSL Certificate?
IdenTrust is recommending you replace a SHA1-signed SSL certificate expiring after June 1, 2016 with a free SHA256-signed certificate as soon as possible.

There are two reasons for this recommendation:
  1. A SHA256 offers many more degrees of difficulty for fraudsters to forge your certificate; and
  2. Starting in November 2014, Google's Chrome browser will provide negative visual warning to users of websites protected with SHA1-signed certificates.
2. What are the SHA1 and SHA256 algorithms?
In a nutshell, they are mathematical operations used to encrypt information. IdenTrust certificates are created with a signature embedded in them to prevent forgery. The signature uses the SHA1 or SHA256 algorithm. Certificates signed with SHA256 are much more difficult to attack than SHA1. Until today, there have been not successful attacks to the SHA1 algorithm but with the rapid increase of computing power, it is becoming easier to mount those attacks.

3. For Chrome users, my website is presenting some visual warning, is there a security problem with my SSL Certificate?
No, your IdenTrust SHA1-signed SSL certificate is currently secure. Your certificate is creating secure tunnels with your users. Though this is still the case, starting in November 2014, the Google Chrome browser will present some visual warning messages to users of a SHA1 protected SSL site as a mechanism to accelerate the migration of services to a more secure SHA256 technology. Be aware that other browsers are not presenting these visual warnings and not all your users may have the same experience.

4. When should I replace my SHA1-signed SSL certificate?
IdenTrust recommends that you replace your certificate as soon as possible. Though your certificate is secure, users of the Google Chrome browser will experience progressively negative warnings starting in November 2014. The gravest warnings will be shown in versions 40 and 41 of the browser, which will be available in December and the first quarter of next year respectively.
5. How much does it cost to replace my SSL Certificate?
For current customers, IdenTrust offers free replacements for its SSL certificates.

Back to top

6. Will my users experience problems with a SHA256-signed SSL Certificate?
There is a small chance some of your user may experience difficulties. Though all modern browsers support the SHA256-signed certificates, users of older platforms, such as Windows XP SP2, will experience issues when accessing a website secured with the newer technology.
You must assess your user base to understand the effects of protecting your website with the latest technology. If you need to continue using SHA1-signed SSL certificates and you are receiving visual warning in Google Chrome, IdenTrust may be able to provide a temporary solution while your users complete the migration to modern technologies.

7. What are the important dates to consider in a migration to SHA256 SSL Certificate?

Now IdenTrust SHA256-signed SSL certificates are available
November 2014 Google Chrome version 39, with visual warnings, widely available
December 2014 Google Chrome version 40, with stronger visual warnings, widely available
Q1 2015 Google Chrome version 41, with strongest visual warnings, widely available
May 15 2015 IdenTrust will no longer provide SHA1-signed SSL certificates for special cases
January 1 2017 Google Chrome, Microsoft IE and Mozilla Firefox browsers no longer support SHA-1 SSL certificates. You must have a SHA256-signed certificate installed in your website to ensure it can be accessed with any of the browsers

8. What will the users of my website experience with SHA1-signed SSL certificates?
Your users’ experience will depend on the browser used to access your website and the expiration date of your certificate. The table below addresses the more severe cases of certificates signed with SHA1 that expired after January 1, 2017.
Today November 2014 forward December 2014 forward Q1 2015 forward
Google Chrome https https
"secure with minor errors"
https
"neutral, lacking security"
https
"affirmatively insecure"
Mozilla Firefox https
Microsoft IE https

9. What should I consider when replacing my SHA1-signed SSL certificates?
Your users' browsers and operating systems support for SHA256 technology
  • If all your users can support SHA256 technology, you may be able to migrate without significant issues for your users
  • If some users may not support SHA256 technology, you may need to consider maintaining a SHA1-signed certificate
The expiration date of your SHA1-signed certificate
  • If your certificate expires prior to June 1, 2016, your Chrome users will not receive visual warnings
  • If your certificate expires prior after June 1, 2016, your Chrome users will receive visual warning, and you may want to replace your SHA1-signed SSL certificate
The steps prior to replacing your SHA1-signed certificate
  • Obtain and upload the certificate chain for your new SHA256-signed certificate. The chain is available here: http://validation.identrust.com/certs/trustidcaa52.p7c
  • Have your account number and account password available to make the replacement
  • Have a CSR (the original one or a new one) prior to starting the process
  • Ensure time availability and access to your server to replace the SHA1-signed SSL certificate. When you obtain your replacement certificate, our system automatically revokes the old certificate. You should immediately install the new certificate to prevent service interruptions.
Back to top



RELATED CONTENT
Certificate Management Center
Application Status
FAQ: Before You Buy
HOW-TO: Backup a Certificate
HOW-TO: Replace a Certificate
FAQ: General
FAQ: ACES
FAQ: ECA
FAQ: IGC
FAQ: TrustID
PKI Basics
Certificate Security and Protection
Help using your Certificate
Change Control Schedules
Support Main
 

FEDERAL AGENCY PROGRAMS
Department of State
D-Trade
Department of Treasury IRS
Secure Data Transfer
MeF Electronic Filing Certificate
General Services Administration
eOffer

STATE AGENCY PROGRAMS
Florida
City of Tallahassee
Department of Transportation
JCalendar for State Court Systems
Maine
West Virginia
Department of Environmental Protection
Virginia
Department of Transportation (VDOT)
Department of Mines Minerals and Energy (DMME)
IdenTrust, Inc. BBB Business Review WebTrust WebTrust Baseline EHNAC EHNAC GSA Schedule SOC
© IdenTrust, Inc. All Rights Reserved.    Home | Contact Us | Legal Policies