SSLMate is pleased to announce that as of Friday, November 7, 2014, all certificates purchased, reissued, and renewed through SSLMate are signed using the SHA-2 hash algorithm.

Background

For many years, SSL certificates were signed with the SHA-1 hash algorithm. However, serious weaknesses exist in SHA-1 that could allow attackers to forge certificates and impersonate websites. Therefore, web browsers are phasing out support for SHA-1 in favor of the more secure SHA-2. Over the next few months, Google Chrome will begin to show visual indications that websites using SHA-1 certificates expiring in 2016 or later are less secure. Firefox will do the same. Eventually, browsers will stop accepting SHA-1 certificates entirely.

For an in-depth explanation of the SHA-1 deprecation, see Why Google is Hurrying the Web to Kill SHA-1 by Eric Mill.

Upgrade to SHA-2 in three easy steps

If you have an SSLMate certificate that was purchased before November 7, 2014, you can upgrade it to a SHA-2 certificate, free of charge, in just a few easy steps. In keeping with SSLMate's mission to simplify SSL certificate management, we've made upgrading to SHA-2 extremely easy. All you have to do is:

1. Log into your SSLMate account and click the “Reissue as SHA-2” link next to the certificate you want to upgrade.

2. Respond to an email to prove that you still control the domain.

3. Download and install new certificate files with the sslmate download command. If you've configured your server to run sslmate download automatically, you can skip this step.

That's all it takes. Unlike other certificate vendors, you don't have to run any arcane openssl commands, you don't have to copy and paste text blobs or deal with unwieldy Zip files, and you don't have to worry about correctly assembling the intermediate certificate bundle. If you've set up automatic certificate downloads, you don't even have to log into your server.

Easiest SHA-2 upgrades in the industry

The simplicity of SSLMate's SHA-2 upgrade process is unrivaled in the industry and shows the power of the SSLMate service. Cryptography moves fast. This isn't the first time the Internet has transitioned away from a cryptographic standard: we saw a similar sunsetting of the MD5 hash algorithm in 2011, and the Internet is also moving away from 1024 bit RSA keys. The future could easily see a transition away from SHA-2 or RSA if those algorithms are broken.

The Internet has been through these transitions before and will go through them again, but what's different now is that web browsers are more willing than ever to move quickly to protect their users, as evidenced by Chrome's accelerated SHA-1 deprecation schedule, and their quick disabling of SSLv3 after POODLE. Website operators need to keep up with evolving security standards, and respond quickly to security vulnerabilities such as Heartbleed that affect SSL certificates. They should be able to do so as effortlessly as possible and in a way that minimizes the chance for human error. SSL certificate automation is the answer, and that's what SSLMate provides.