SHA1, SHA2 and SHA256 SSL algorithms

Last updated on 28 Sep 2023, 10:32:43.
Category: All about SSL certificates | SSL technical


What is SHA?

SHA is a mathematical algorithm used in SSL encryption to verify the validity of the certificate's signature. Different iterations of SHA have seen the light: SHA-0, now obsolete and no longer in use, SHA-1, used by the majority of today's certificates, SHA-2, a more secure successor, and SHA-3, introduced in 2012.

The SHA-2 algorithm makes use of four possible key sizes: SHA-224, SHA-256, SHA-384 and SHA-512. SHA-256 is the most widely adopted version by browsers and Certificate Authorities alike, and the terms SHA-2 and SHA-256 are often used interchangeably.

Why is SHA-1 insecure?

Computing power grows exponentially, thus the risk increases that a file could be generated that forms the same SHA-1 checksum as another file. This phenomenon, known as collision, would allow an attacker to circumvent SSL security and to issue false certificates. That's why Microsoft and Google, followed by other browser developers, have decided to limit the validity of certificates signed with SHA-1 progressively.

How can I obtain a SHA-256 SSL certificate?

Certificate Authorities will cease to issue SHA-1 certificates after December 31, 2014. New certificates requested after that date will be signed with an SHA-256 signature exclusively.

If you're up to a renewal of your certificate, you should pay attention that you request a SHA-256 signature at renewal. To guarantee compatibility with older browsers, existing certificates can still be re-issued with an SHA-1 hash. In case you have doubts about the compatibility of your equipment with SHA-256, a list of compatible device can be found on our page on « SHA-256 compatibility ».

If your current SSL certificate has an expiry date set in 2016 or 2017, visitors to your website may encounter security warnings. In that case, your best course is to ask for a re-issue of your certificate in SHA-256. If you ordered your certificate through Kinamo, we'll re-issue it for free.

Nothing's lost even if you're not yet an SSL customer at Kinamo. Many Certificate Authorities offer a competitive deal when switching away from a competitor, and even allow you to transfer your remaining certificate validity onto a new certificate, sometimes even with an extra 30 days validity for free.

Related articles

Apache - Disable SSL 2.0, SSL 3.0 and opt fore a modern safe SSL config

This article shows you how to disable the SSL 2.0, SSL 3.0 and older TLS version protocols on your Apache...

Read more

Kinamo mail server settings (mail server cheat sheet)

The following article provides the basic settings and server names (domain names) for the Kinamo mail infrastructure. These settings allow...

Read more

Create an automatic SPAM filter in the Kinamo Webmail

This article explains how you may create a filter that will automatically place SPAM messages in a special folder, so...

Read more

Need extra help?

Were not all your questions answered?
Don't worry, we will be happy to help you via a support request!

Select your language

All languages: