SHA-2 SSL certificate hashing is a cryptographic algorithm developed by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). SHA2 certificates are more secure than all previous algorithms, and are being required in certain applications in place of certificates signed with the SHA-1 hash function beginning January 1, 2011.
Many organizations may be required to upgrade to SHA-2 (also known as SHA2 or SHA-256) SSL certificates in conjunction with updated federal and PCI compliance standards.
Although SHA-1 certificates will still be considered secure for years to come, mathematical weaknesses have been identified that could potentially be exploited in breaking the SHA-1 crypto hash. These mathematical weaknesses were resolved in the SHA-2 encryption algorithm.
As an organization concerned with establishing online security, and as a service to our customers and the end-users who rely on the integrity of their systems and infrastructure, Affect Web supports those organizations that are taking all possible measures to help make SHA-256 certificates the encryption standard.
PCI compliance scanners may require their clients to use SHA-2 compatible SSL certificates. Certificates issued within the federal space will be required (in accordance with NIST standards) to be issued with SHA-2. If you need a SHA-2/SHA-256 certificate, you will be given the option to select whether to make your cert a SHA-2 cert during the order process for any of our standard product offerings.
- Will the new intermediates or new certificates be hashed with SHA-1? What about SHA-2?
- With this migration, all Thawte certificates will be hashed with the SHA-1 hashing algorithm, which is the industry standard. Thawte has got SHA256 roots that are being distributed to ensure readiness for SHA2 when there is widespread support for this algorithm.
Below is a list of Windows Operating Systems that support SHA2 functionality and recommendations on how to update Windows Operating Systems to support SHA2.
Prior to Windows XP Service Pack 3, the SHA2 functionality was not supported on the Windows XP Operating System. With the release of Service Pack 3 some limited functionality for SHA2 was added to the crypto module rsaenh.dll. This includes the following SHA2 hashes: SHA-256, SHA-384 and SHA-512. SHA-224 was not included in this update.
Windows Server 2003:
Windows Server 2003 Service Pack 1 and Service Pack 2 does not inherently support SHA2.
However a Hotfix can be downloaded for this Operating System by clicking the following Microsoft Knowledge Base Articles links at KB938397 and KB968730.
Note: It was discovered that Windows 2003 Service Pack 2 with KB938397 installed cannot request a SHA2 certificate from a Windows 2008 server. KB968730 addresses this issue. However, KB968730 supersedes KB938397. So if Windows Server 2003 Service Pack 1 or 2 needs to enroll for and process a SHA2 certificate from Windows Server 2008, only KB968730 would need to be installed.
Windows Vista, Windows 7, Server 2008 and Server 2008 R2:
Starting with Windows Vista and Server 2008, the Cryptography Next Generation (CNG) Suite B algorithms (including SHA2) are included in the operating system and support SHA2.
Note: Even though the algorithms are available, it is up to the individual applications to implement support.
Outlook and S/MIME:
Outlook 2003, 2007 and 2010 running on Windows XP Service Pack 3 can sign and validate certificates when the certificate is SHA2 signed. Outlook 2003, 2007 and 2010 running on Windows XP Service Pack 3 cannot validate email messages when the message is signed with SHA2 regardless of the certificate used. Outlook 2003, 2007 and 2010 running on Windows XP Service Pack 3 cannot sign a message with SHA2, only SHA1 and MD5 are supported.
In order to validate SHA2 messages, Windows Vista with Outlook 2003 or newer is needed. In order to both sign and validate SHA2 messages, Windows Vista or Windows 7 with Outlook 2007 or Outlook 2010 is needed.
Note: Regardless of the functionality Windows and Outlook provide, in order for mail to be delivered between two users, there are a number of spam filters, relays, mailboxes, etc between sender and recipient as well as a wide range of vendors running on a wide range of platforms that need to be tested before deploying SHA2 to ensure compatibility.
For organizations looking to deploy SHA2 the following is recommended:
- For Windows XP users, Service Pack 3 should be deployed.
- If Windows XP system needs to be used to enroll for a SHA2 certificate, KB968730 should be deployed.
- For Windows Server 2003, Service Pack 1 or 2 and KB938397 should be deployed.
- If Windows Server 2003 needs to be used to enroll for a SHA2 certificate, Service Pack 2 and KB968730 should be deployed. If planning on deploying KB968730, installing KB938397 is not necessary.
- If S/MIME using SHA2 is needed for sending email messages, the workstations will need to be updated to Windows Vista running Office 2003 or newer.
Additional Information about SHA2 compatibility and Windows Operating Systems can be located at the links below.
National Institute of Standards and Technologies (NIST) SHA2 Recommendations: