SHA1 to SHA2 Migration Guide

SHA1 to SHA2 Migration Guide

***Guide pending verification***

With windows ssl reissues sha1 -> sha2
 

If you are here, then most likely you have a site on a server that is producing a red strike on https when using google chrome. Mostly likely, this is due to:

 

!!!The following root has been retired and need no longer be distributed by vendors!!!

Root 1 - Equifax Secure eBusiness CA-2 

Download - Equifax Secure eBusiness CA-2 (.pem file) Right Click, Save As

Organization: 

Country: 

Serial Number: 

Validity Period: 

Certificate Fingerprint (MD5): 

Certificate Fingerprint (SHA-1): 

Key Length: 

Digital Verification via HTTPS: 

GeoTrust Inc.

US

1b

Mon Oct 7, 2002 to Sun Jun 21, 2020 (GMT)

85:8E:B3:54:F7:AC:18:A3:E7:3D:90:9E:02:90:4D:3D

39:4f:f6:85:0b:06:be:52:e5:18:56:cc:10:e1:80:e8:82:b3:85:cc

1024 

Not Available

 

Based on this, we need a new root certificate on our servers so we get Root 5:

 

Contact GeoTrust to reissue certificates using:

https://www.geotrust.com/resources/root-certificates/

 

Root 5 - GeoTrust Primary Certification Authority – G3

Description: This root CA is not used today. It is intended for use in the future for SSL and Code Signing services needing an SHA256 encryption algorithm. This root should be included in root stores. 

 

Download - GeoTrust Primary CA – G3 (.pem file) Right Click, Save As

Organization: 

Country: 

Serial Number: 

Validity Period: 

Certificate Fingerprint (SHA-1): 

Digital Verification via HTTPS:

GeoTrust Inc.

US

15 ac 6e 94 19 b2 79 4b 41 f6 27 a9 c3 18 0f 1f

Tue, April 01, 2008 4:00:00 PM to Tue, December 01, 2037 3:59:59 PM

03 9e ed b8 0b e7 a0 3c 69 53 89 3b 20 d2 d9 32 3a 4c 2a fd

https://ssltest21.bbtest.net

 

This new root (5) should allow us to generate new csr and rsa keys

 

Install 3 new ssl using the new Root 5:

 

install client ssl cert

intemediate

and root


More Information can be found here:

https://www.sha2sslchecker.com/sha1-to-sha2-migration.php

 

GeoTrust/ RapidSSL: If your GeoTrust or RapidSSL SSL is signed with SHA1, then you can reissue your current SSL with the following instructions.

 

 

Use of SHA-256 Intermediate Certificate:

Intermediate certificate needs to be updated with an SSL certificate. We have given below some reference as per different CAs.

 

  • GeoTrust: Their SHA-2 intermediates are listed under RSA SHA-2, labeled under "SHA-2 Intermediate CAs under SHA-2 Root". For knowledge base guidance, click here.

    • Related Articles

    • Mail Migration Process

      1.       When mail1.domain.com is moving to mail2.domain.com, DNS will be changed and all the emails will be moved to the new mail server (mail2.domain.com). 2.       After 24 hours, any mail that was sent to the old server (mail1.domain.com) will be ...

    • Generate SHA 2 RSA Key and CSR

      To generate a SHA 2 RSA Key and CSR from the command line, use the following on the web server: Linux: Change directory to a folder of your choice, on shared machines, use the domain's web root(/hsphere/local/home/user/domain) for easy retrieval: ...

    • Securing SSL on Windows 2008 R2

      To secure SSL on windows 2008 R2 please do the following: 1. Create an empty reg file. 2. Copy the following content into it: ======================================================================================== Windows Registry Editor Version ...

    • How to create a Sharepoint 2010 Plan and Account

      This guide will outline how to create a sharepoint 2010 plan and account Sharepoint is a specialized windows plan setup as a customer server group. In order to setup users on sharepoint servers, a customized windows hosting plan will need to be ...

    • PCI Compliance TLS v1.2 or Higher Required

      Hello As a result to recent changes in PCI DSS requirements - customers processing credit cards may receive a notice such as the below from their merchant providers "As a result of the update, businesses using SSL must either begin using TLS version ...