12 Nov 2014, 11:15

HTTPS Certificates : some changes in the coming months

When you issue a certificate, there are some encryption mechanism under the hood. One of them is "SHA-1" and it has been declared as weak some months ago.

As a consequence :

  • Certificates should be issued using SHA-2 encryption mechanism instead of SHA-1
  • Main browsers are to drop progressively the support of SHA-1 certificates by lowering their level of security til they consider it as untrusted.
  • There are some incompatibility issues, mainly with Windows XP which does not support SHA-2 ; so as Microsoft no longer supports Windows XP and unless your are in China, you should be safe :-)

You can test your certificate for ex with SSL Labs or Shaaaaaaaaaaaa (a dedicated site on the topic).

So the action plan could be :

  1. Test your site to check if you use SHA-A1 certificates or not
  2. Depending on your audience, define a migration strategy depending on
    1. The expiration date for your certificates ; it may change the behavior on browsers side ; more details on Chrome/Firefox timeline mentioned above
    2. The browser's roadmap
  3. Don't forget to update the whole certificate chain ie get your new SHA-2 signed certificates but also the intermediary and root certificates from your certification authority. You can mix both (SHA-2 certificate with SHA-1 authorities certificates) but it's better to have a full SHA-2 certificate chain.
  4. Migrate to SHA-2