When you issue a certificate, there are some encryption mechanism under the hood. One of them is "SHA-1" and it has been declared as weak some months ago.
As a consequence :
- Certificates should be issued using SHA-2 encryption mechanism instead of SHA-1
- Main browsers are to drop progressively the support of SHA-1 certificates by lowering their level of security til they consider it as untrusted.
- Firefox timeline
- Chrome timeline and the way they will manage the lowering of security from Chrome 39 planned this month to Chrome 41 early 2015.
- There are some incompatibility issues, mainly with Windows XP which does not support SHA-2 ; so as Microsoft no longer supports Windows XP and unless your are in China, you should be safe
So the action plan could be :
- Test your site to check if you use SHA-A1 certificates or not
- Depending on your audience, define a migration strategy depending on
- The expiration date for your certificates ; it may change the behavior on browsers side ; more details on Chrome/Firefox timeline mentioned above
- The browser's roadmap
- Don't forget to update the whole certificate chain ie get your new SHA-2 signed certificates but also the intermediary and root certificates from your certification authority. You can mix both (SHA-2 certificate with SHA-1 authorities certificates) but it's better to have a full SHA-2 certificate chain.
- Migrate to SHA-2