SHA is a mathematical algorithm used in SSL encryption to verify the validity of the certificate's signature. Different iterations of SHA have seen the light: SHA-0, now obsolete and no longer in use, SHA-1, used by the majority of today's certificates, SHA-2, a more secure successor, and SHA-3, introduced in 2012.
The SHA-2 algorithm makes use of four possible key sizes: SHA-224, SHA-256, SHA-384 and SHA-512. SHA-256 is the most widely adopted version by browsers and Certificate Authorities alike, and the terms SHA-2 and SHA-256 are often used interchangeably.
Computing power grows exponentially, thus the risk increases that a file could be generated that forms the same SHA-1 checksum as another file. This phenomenon, known as collision, would allow an attacker to circumvent SSL security and to issue false certificates. That's why Microsoft and Google, followed by other browser developers, have decided to limit the validity of certificates signed with SHA-1 progressively.
Certificate Authorities will cease to issue SHA-1 certificates after December 31, 2014. New certificates requested after that date will be signed with an SHA-256 signature exclusively.
If you're up to a renewal of your certificate, you should pay attention that you request a SHA-256 signature at renewal. To guarantee compatibility with older browsers, existing certificates can still be re-issued with an SHA-1 hash. In case you have doubts about the compatibility of your equipment with SHA-256, a list of compatible device can be found on our page on « SHA-256 compatibility ».
If your current SSL certificate has an expiry date set in 2016 or 2017, visitors to your website may encounter security warnings. In that case, your best course is to ask for a re-issue of your certificate in SHA-256. If you ordered your certificate through Kinamo, we'll re-issue it for free.
Nothing's lost even if you're not yet an SSL customer at Kinamo. Many Certificate Authorities offer a competitive deal when switching away from a competitor, and even allow you to transfer your remaining certificate validity onto a new certificate, sometimes even with an extra 30 days validity for free.
Were not all your questions answered?
Don't worry, we will be happy to help you via a support request!