Understanding SHA-2

What is SHA-2, and why should I use it?

SHA stands for "secure hash algorithm" and it is an algorithm that is used to generate SSL certificates. SSL Certificates are used by web browsers to verify the authenticity of a webserver.

The SHA-1 algorithm was initially introduced 20 years ago and is targeted for use by computers from that time.

To avoid any potential security issues that might arise from using an old algorithm, companies such as Microsoft and Google announced that they will be deprecating the use of SHA-1 and will start using a new and more secure algorithm, named SHA-2. 

What will happen if my site still uses a SHA-1 SSL certificate?
Customers using the Chrome browser to access secure websites may experience negative visual security indicators if the SHA-1 certificates are valid beyond December 31, 201If they are on Windows, they will not be able to access sites with SHA-1 certificates after January 1, 2017.
Customers using Chrome version 39 or higher and SHA-1 certificates that expire between June 1st, 2016 and December 31st, 2016 will see a yellow triangle in their Google Chrome browser ("secure but with minor errors').
Customers using Chrome version 40 with SHA-1 certificates that expire on or after 1 January 2017 will be treated as "neutral, lacking security".

How do I re-issue my SHA-1 SSL certificate as SHA-2?
Re-issuing a SHA1-SSL certificate will be free. However, the method of the re-issue will vary depending of the type of SSL you currently have.
Before re-issuing your SHA-1 SSL, you should ensure that your webserver supports SHA-2.

What do I need to know if I have a COMODO certificate?
If you have purchased a COMODO SSL certificate, please submit a support ticket from your Enom account requesting a SHA-2 certificate, including a SHA-2 CSR, so that we can work with Comodo to reissue the certificate as SHA-2.

What do I need to know if I have a Geotrust, RapidSSL or Symantec certificate?
If you have purchased a GeoTrust or a Symantec SSL Certificate, you will be able to reissue a SHA-2 certificate via their Online Portal by following these steps:

For RapidSSL and GeoTrust certificates:

1. Visit https://products.geotrust.com/orders/orderinformation/authentication.do 
2. Generate a Certificate Signing Request (CSR) 
3. Go to the reissuance portal: https://products.geotrust.com/geocenter/reissuance/reissue.do 
4. Select "Request Access" against the correct order ID - An email will be sent to the technical contact email address specified above 
5. Click on the link listed in the e-mail to enter the User Portal 
6. Click the Reissue Certificate option in the left hand column 
7. On the following screen select your Hashing Algorithm, then copy and paste the new CSR 
8. Select the Subscriber Agreement and click Submit 

After the order is approved the SSL certificate will be re-issued

For Symantec certificates:

1. Go to the Symantec portal: https://products.verisign.com/orders/orderinformation/authentication.do 
2. Generate a Certificate Signing Request (CSR) 
3. Go to the reissuance portal: https://products.verisign.com/orders/orderinformation/authentication.do 
4. Select "Request Access" against the correct order ID - an email will be sent to the technical contact email address. 
5. Click on the link listed in the e-mail to enter the User Portal 
6. Click the Reissue Certificate option in the left hand column 
7. On the following screen select your Hashing Algorithm, then copy and paste the new CSR 
8. Select the Subscriber Agreement and click Submit 

After the order is approved the SSL certificate will be re-issued

Can I still purchase SHA-1 certificates?
Currently all SSL certificates issued by Comodo are based on the SHA-2 root chain, unless your server requests a SHA-1 certificate (these certificates are being issued for 1 year only).
Going forward, all GeoTrust and Symantec SSL certificates will be SHA-

Is there a way to re-issue more than one SHA-2 certificate at the same time?
If you would like to reissue multiple certificates, please submit a support ticket from within your account, including all of the requested information.