Thursday, September 18, 2014

Chrome Invalidates Certificates using SHA-1 in November 2014

Certificates are used to secure digital communication. The most common security measure is SSL/TLS which is used to protect communication with web sites and other services. The certificates used to secure communication have an algorithm that is used to create has values. SHA-1 was a commonly used hash algorithm.

In November of 2013, Microsoft indicated that Windows would not accept certificates using SHA-1 as valid starting in 2017. Most certificates expire after 1-3 years providing ample time to update existing certificates during normal renewal processes.

I just received a notification that Google Chrome will start marking web sites using certificates with SHA-1 as invalid starting in November 2014 if the expiry date of that certificate is after 2015. That is a much faster time frame.

A review of our clients has revealed that only one certificate is using SHA-1 at this time. All of the others are using SHA-256 (one of the larger set of SHA-2 algorithms). For this one client, we need to rekey the certificate to use the new algorithm.

Specific instructions for rekeying vary depending on your SSL provider.

Some potential issues with SHA-2:
  • If you have legacy servers such as Windows Server 2003, you need to update them to support SHA-2 by installing a hotfix (http://support.microsoft.com/kb/968730). This is required for Exchange 2003 servers if you have them or older web servers.
  • If you are using GoDaddy digital signing certificates, the Java security store does not automatically trust the SHA-2 based certificates yet. Apparently, this is in the works and will be complete within the next few months. So, in the short term you may want to keep SHA-1 for that purpose. The Chrome change in November 2014 won't affect Java signing.

References:

No comments:

Post a Comment