terena logo
2 November 2014
TCS certificate service responds to SHA security update

The Secure Hash Algorithm (SHA) plays an important role in signing digital certificates used to support secure websites. The majority of certificates in place at the moment rely on SHA-1, despite the fact that cryptographic weaknesses had been identified. In recent months, Google and Microsoft have both announced plans to deprecate SHA-1 in favour of SHA-2, which provides a stronger hash function. In order to support community migration to SHA-2, the GÉANT Association's Amsterdam office (formerly TERENA) and Comodo have made it possible to order SHA-2 via the current TCS certificate service. SHA-2 orders can now be placed for server, code-signing and personal certificates.

Server and code-signing certificates

Server and code-signing certificates can be ordered as normal via Djangora or your own local portal and a choice of SHA-1 or SHA-2 can be selected. Any SHA-1 request with a duration date beyond the deadline of 1 January 2017 will be changed automatically to a SHA-2 request.

Personal certificates

Some changes to Confusa portals may be required to support SHA-2 personal certificates. If you are experiencing any problems, please contact the Confusa team.

eScience certificates

All TCS participants are advised to use only SHA-1 for eScience certificates for now, as SHA2 is not fully distributed through the IGTF framework. As eScience certificates are 13 months in duration, they should expire before the cut-off date of 1 January 2017.

Further information

Information about the TCS service is available on the TCS webpages.

More background information about the importance of the SHA change is available in the online article Why Google is Hurrying the Web to Kill SHA-1.