Businesses need to migrate to SHA2 signed certificates now! The SHA1 hashing algorithm, which is known to be weak due to advancements in cryptographic attacks, is being deprecated and must be replaced with SHA2.
SHA1 has been vulnerable for years
SHA1, a cryptographic hash function is no longer considered secure, and SHA1 signed certificates can be easily forged by attackers to mimic the original one. Leading browsers will start rejecting SHA1 certificates as of July 2016. This change was agreed upon jointly by the browser and certificate vendor industry consortium to ensure that certificates are replaced before their vulnerabilities are exploited. Both internal and external certificate authorities must be migrated to SHA2. This affects all types of certificates, regardless of validation method.
SHA2 is significantly stronger
The encryption hash used in SHA2 is significantly stronger and not subject to the same vulnerabilities as SHA1. This means that attacking a SHA2 certificate requires much greater logic and computing power. Although SHA2 is constantly attacked and minor weaknesses are noted, in crypto-speak, it’s considered “strong” and it is far better than SHA1.
Implement a 6-step plan to migrate from SHA-1 to SHA-2 certificates
Applications are core to the business, and because SHA1 errors impact the end-user browser experience, it is risky to proceed with cryptographic weaknesses. AppViewX recommends that administrators migrate to SHA2 certificates as soon as possible. We recommend following the six steps below to avoid any major problems during the migration.
Step 1: Discovery of all SHA1 certificates
Step 2: Inventory assessment of existing certificates
Step 3: Impact analysis of SHA1 migrations
Step 4: SHA1 to SHA2 migration
Step 5: Validation of migration
Step 6: Enforceable policy creation
AppViewX’s Certificate Lifecycle Automation solution provides a one-stop migration solution that identifies, renews, and installs SHA2 signed certificates.
For further details on the six-step migration plan and how AppViewX can automate the whole process and other enterprise PKI automation such as certificate discovery, SSL certificate monitoring, certificate expiry alerting and renewing SSL/TLS certificates automatically, please reach out to us at email@example.com and our solution experts will be happy to help you.