Access Keys:
Skip to content (Access Key - 0)

Q: Migration to SHA-2 Certificate Authority

  • Why is MIT migrating to a new certificate authority?
  • What is the difference between SHA-1 and SHA-2 certificates?
  • How will I be affected by the change of certificate authority?

Context

  • Applies to all operating systems and platforms

Answer

  • MIT is transitioning to the use of SHA-2 for certificates. In the near future, multiple web browsers such as Firefox, Internet Explorer, and Chrome, among others, will stop accepting the old SHA-1 certificate hash which has been used in the past. To prevent these browsers from refusing to accept MIT server certificates, MIT has decided to migrate to the SHA-2 hash for protection of our certificates.
  • According to Google, Chrome will begin treating SHA-1 based certificates valid past January 1 2017 as untrustworthy starting with the release of Chrome 39 in November 2014. Other browsers are also making plans to deprecate the use of SHA-1 in certificates.
  • Users of certificates should make plans to upgrade certificates before software begins rejecting the old certificate hash.
  • New MIT certificates will be signed by the "InCommon RSA Server CA" and will use 2048-bit RSA encryption as well as a SHA-256 hash.

Additional Browser Information

Firefox

Firefox will introduce a warning for certificates valid past January 1, 2017 using SHA-1, and will reject such certificates entirely as of January 1, 2017: https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

Chrome

In releases 39 through 41, Google will gradually phase out support for SHA-1 certificates entirely: http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html

Internet Explorer

Internet Explorer will stop accepting SHA-1 based end-entity certificates by January 1, 2017: http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

IS&T Contributions

Documentation and information provided by IS&T staff members


Last Modified:

October 29, 2014

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
c-certificates c-certificates Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki