Don’t Use SHA-1 for SSL Certificates
This week I helped a client re-key their SSL certificate due to having lost the private key. In the process, I was given the option to use SHA-1 or SHA-2. I figured 2 is better than 1, but then I read up on how SHA-1 is gradually being phased out in Google Chrome because it’s no longer considered secure.
Today I got an email from Namecheap (the best option for a cheap SSL certificate) letting me know SHA-2 would be used from now on, and I could reissue older certificates with SHA-2.
I checked my grade on SSL Labs and found it had dropped from the coveted A+ to an A due to the use of SHA-1. I’m pleased to see they’re keeping the test updated. My grade dropped without having changed anything since I got the A+.
Which gives me an idea for a service. It would be a security subscription service that would send you a monthly report card for all your SSL sites so you’d know when you needed to take action. It could also let you know about urgent updates when vulnerabilities like Heartbleed and POODLE were discovered.
Anyway, I recommend reissuing your certificates to use SHA-2. If you’re using Namecheap, here’s how to do it.
Step 1
Login to namecheap, and expand the menu on the top left and select Manage SSL Certificates. Click on the Reissue link of the Active certificate you want to reissue. All new certificates will be issued using SHA-2, so you don’t need to select any other options.
Step 2
Create a CSR following the same steps you used to create the initial certificate, using the same responses. Paste the contents of the CSR file into the Namecheap text area and click on Next. Keep on clicking Next, but make sure the defaults are okay.
Step 3
Click on the link in the confirmation email, then click the Approve button. Shortly after you’ll get your new certificate by email. Replace the existing files on your server, restart the web server, and boom, you’re back at an A+.