terena logo
6 January 2015
TCS certificate service updates its SHA security advice

As announced in November, the G√ČANT Association's Amsterdam office (formerly TERENA) and Comodo have made it possible to order new, more secure SHA-2 (Secure Hash Algorithm-2) supported certificates via the current TCS certificate service. These replace the old and SHA-1 certificates now that deprecation of this key cryptographic tool has become a reality, with the first errors and warnings visible on the Internet.

If you are making use of TCS, you should:

  1. Check the signature algorithm of your certificates. Any certificates still using SHA-1 should be replaced with SHA-2. If you don't know how to perform the check, you can find a number of tools on the Internet that you can use, such as Digicert sunset.
  2. Reissue all the certificates that need to be replaced. It is suggested that you prioritise the order in which you replace the certificates. Start with your most important websites and with the certificates that expire in 2017. After that, proceed with certificates ending in 2016 or sooner.
  • Server and code-signing certificates can be ordered as normal via Djangora or your own local portal and a choice of SHA-1 or SHA-2 can be selected. Any SHA-1 request with a duration date beyond the deadline of 1 January 2017 will be changed automatically to a SHA-2 request.
  • Personal certificates with SHA-2 can be issued via Confusa portals. If you are experiencing any problems, please contact the Confusa team.
  • eScience certificates: although SHA-2 is now fully distributed through the IGTF framework we strongly advise to keep using your old hierarchy because, as eScience certificates are 13 months in duration, they should expire before the cut-off date of 1 January 2017.

Further information about the TCS service is available on the TCS webpages.