SHA1 or SHA256

What are SHA1 and SHA256?

When ordering a certificate you have the choice to encrypt the certificate using SHA1 or SHA256.

SHA1 has been used for many years and has served its purpose, but unfortunately it is no longer strong enough to ensure the security of all communication. Computers are getting stronger and the power needed to decrypt messages encrypted with SHA1 is getting cheaper every month.

Because SHA1 is getting weaker, certificates will move to SHA256 to ensure the safety of your connection.


What changes?

The changes are quite simple. During the generating of your CSR you will now get a CSR that is encrypted with SHA256, instead of SHA1. This CSR looks and works the same as the SHA1 versions. You can simply place your order and insert the CSR during the ordering process.

When the certificate is delivered there is a small change. You will still receive all files from us to install the certificate, but the Intermediate and Root certificates are different than the SHA1 versions. This means that if you have these files saved from previous years, you need to do more than just upload a new certificate. You will also need to upload new root and intermediate certificate.

The browsers will also start working differently. Starting January 1st 2014 Google Chrome will place a small warning with the certificate, informing the visitor that the SHA1 certificate that is being used is not fully trustworthy due to the weakness of the encryption. The certificate will still work, a secure connection will be made, but visitors may have less trust in the certificate due to the warnings given.

More information about the changes from Google can be found in their blogpost:


What do I have to do?

As these changes will cause your users and customers to have questions about the trustworthiness of the certificate, you will need to make sure that you are using SHA256 certificates before the browsers start distrusting them.

The easiest way is to phase your certificates over to SHA256 when you need to renew them. Most of your certificates are likely to expire before January 2017, so when you have to reissue them during the coming years you can simply order a SHA256 version. This way you do not need to do any extra work and you'll still be ready for the changes by the browsers when they happen.

If your certificate expires after January 2017, either because it was simply valid for so many years or because you ordered one by mistake using SHA1 in the coming years, you can also start a reissue via our control panel. When processing the reissue you can supply a new CSR, if you supply a SHA256 CSR the certificate will be upgraded!

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Please sign in to leave a comment.