The deadline for migrating to SHA-2 is upon us, here’s how to do it.
With Google’s recent announcement that a deadline had been set for the final deprecation of SHA-1 support on its Chrome browser, any company or organization that hasn’t already migrated to SHA-2 is now scrambling to complete the process.
Google will drop SHA-1 support and start marking websites unsafe with the release of Chrome version 56 at the end of January 2017. Mozilla and Microsoft have announced similar deadlines for the beginning of next year.
If you haven’t already migrated from SHA-1 to SHA-2, you’re running out of time!
A Little Background
Let’s start with SHA-256. SHA-256 is actually SHA-2 with 256-bit strength. That can confuse some people, so let’s just get it cleared up right away.
Now, SHA-1 was the standard SSL hashing algorithm from 2011-2015 despite the fact that many security experts had been raising alarm about potential vulnerabilities for the better part of the last decade. It wasn’t until the beginning of 2016 that the industry formally moved to the more secure SHA-2 algorithm.
Unfortunately, roll out has been hampered by the fact that many older systems and devices can’t support SHA-1. Windows XP (before SP3) is one of the biggest offenders in this right—it is still widely used and cannot support the new algorithm.
This means that many companies and organizations have been forced to not only update their SSL, but to also update their infrastructure to support SHA-2. As you could probably imagine, the cost is in some cases prohibitive. And that’s all coming to a head in the coming months as the deadline for SHA-1 deprecation approaches.
Transitioning to SHA-2
Migrating to SHA-2 or SHA-256 may be a relatively easy process for some, while it may be extremely involved for others. Frankly, it depends on a number of factors ranging from the size of your web presence to the types of devices and systems you have in place.
Here are some tips to help aid in the transition:
- Check for SHA-2 Support – The first thing you should do before you begin your migration is ensure that your environment can support the new algorithm. This means both software and hardware. If parts of your environment can’t support the algorithm, you’re likely going to have to replace them—especially any outward facing components.
- Find all of your SHA-1 Certificates – There are a number of tools available that can assist you with locating all of your SHA-1 certificates.
- Replace all of your SHA-1 Certificates – For the vast majority of SSL Certificates, replacing SHA-1 with SHA-2 is as simple as re-issuing the certificate with the SHA-2 option selected. In some instances, you may also have to generate a new CSR. Or, if your certificate is nearing the end of its validity period you may need to renew it. Regardless, the actual process of upgrading your certificate from SHA-1 to SHA-2 is fairly straightforward.
- Install all of your SHA-2 Certificates – This is the final step, you’ve already upgraded infrastructure, located the existing SHA-1 certificates, issued their replacements and now you just need to install the new SHA-2 certificates in their place.
A Temporary Workaround
Google has announced a provision that should help some companies and organizations that will not be able to meet the deadline. Chrome will distinguish between certificates chained to a public certificate authority and those chained to local CAs.
In order to make use of this provision, companies and organizations will have to deploy a policy known as “EnableSHA1ForLocalAnchors” in Chrome 54. This will allow SHA-1 certificates to be used beyond January 2017, through January 1, 2019. However, it is advised that you migrate well before then as Google reserves the right to nix the provision in the event of a major cryptographic break.