Transitioning to SHA-256

Summary

SHA-2 consists of a family of cryptographic hashing algorithms developed by NIST (National Institute of Standards and Technology) to replace the aging SHA-1 hashing algorithm which may have mathematical weaknesses.

GlobalSign, in our role as your security partner, supports the deprecation of SHA-1 and the transition to SHA-256, the most widely supported of the SHA-2 hashing algorithms. We will be working closely with all customers to ensure a seamless transition. The first step in the process is the availability of GlobalSign SHA-256 SSL Certificates on March 31, 2014.

This article defines the important milestones for the introduction of SHA-256 SSL Certificates and the depreciation of SHA-1 SSL Certificates.

Important dates for the end of support for SHA-1:

January 1 2016 Microsoft will cease trusting Code Signing Certificates using SHA-1
January 1 2017 Microsoft will cease trusting SSL Certificates using SHA-1
July 2015 Microsoft will revisit the above dates, and potentially accelerate if deemed appropriate

While the CA/Browser Forum has not yet specified SHA-256 in their Baseline Requirements, Microsoft is driving the industry to the January 2017 date when they will stop trusting all SHA-1 Certificates issued under public roots. GlobalSign is tracking the status within the CA and Browser industry as well as within security forms and will keep our customers up to date on any milestone changes, or on credible advances in breaking SHA-1.

GlobalSign customers should be aware of the following event dates:

March 31 2014 GlobalSign enables and recommends SHA-256 during the SSL ordering process.
March 31 2014 GlobalSign customers can reissue existing SHA-1 Certificates with SHA-256 free of charge at any point during the validity period of the Certificate.
March 31 2014 New Certificate applications opting to use SHA-1 will be limited to a maximum Certificate validity period of 3 years. GlobalSign will monitor the SHA-1 risks and deprecation situation with Microsoft and other vendors and may reduce validity periods in subsequent years.
January 2016 GlobalSign will disable all SHA-1 issuance options (subject to change based on updated Microsoft guideline).

Known issues with compatibility:

Most applications, servers and browsers now support SHA-256, however some older operating systems such as Windows XP prior to Service Pack 3, and some mobile devices do not. Before the SHA-1 algorithm is formally deprecated by Microsoft, it is important to ensure your organization and those relying on your infrastructure are benefiting from SHA-256 support by installing the latest version of the application or browser and applying all known security updates to your operating system.

For more information please see our SHA-2 Compatibility Summary.

Further reading:

CA Security Council:

https://casecurity.org/2014/01/30/why-we-need-to-move-to-sha-2/
https://casecurity.org/2013/12/16/sha-1-deprecation-on-to-sha-2/

SHA-256 Support in Windows:

http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx

Microsoft Root Embedding Program Requirements:

http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0.aspx