SHA1 to SHA2 Migration Guide by CAs

Many Cetificate Authorities has default SHA-256 migration while some do not support SHA-256. The other CAs will request you to migrate to SHA-256 in writing or signing CSR.

If you wish to get a new SSL with current private key, then follow the command.

openssl req -new -SHA-25656 -key your-private.key -out your-domain.csr

If you are using an SSL certificate from the following CAs, then you can follow the procedure given below for SHA-2 migration for primary and intermediate certificate.

Go Daddy: To upgrade your SSL certificate, you need to re-key your current certificate means you need to generate a new private key. Below are steps to rekey your current SSL. For further information, you can read instructions.

Log in to SSL Manager
Browse Certificate Manger tab.
In Filter list, click on Certificates.
Select the certificate and click on the Re-key.
If your domain name uses shared hosting and you wish to use third party hosting then select “Uninstall this certificate”.
In the CSR field, paste your new CSR
Select a signature algorithm and CA and click on re-key button.
Your old certificate will be removed within 72 hours and you will receive a new SSL.

DigiCert: This CA takes SHA-256 by default. To replace your existing SHA-1 to SHA-256, you can replace, renew, or purchase a new certificate.

DigiCert has a SHA1 sunset tool in which you have to fill the domain name in the box and click on the Lookup button.
The tool will show a link for replacement as an advance option on the certificate request page.
After that, it will tell you to purchase a new SHA-256 certificate.
Select the product and validity period.
Create CSR with CSR generation tool.
Provide organization information and select the payment mode.
Click on checkout button.

DNSimple: It applies SHA-256 by default. DNSimple has switched its product to Comodo, which already support SHA-256 algorithm since April 2014. For further clarification and guidance Click here.

Gandi: Gandi.net published on twitter about not supporting SHA-256 due to browser compatibility and they are still working on it.

GeoTrust/ RapidSSL: If your GeoTrust or RapidSSL SSL is signed with SHA1, then you can reissue your current SSL with the following instructions.

Browse https://security-center.geotrust.com/process/retail/console_login?application_locale=GEOTRUST_US
Enter username and password to sign in.
On the right column, find the certificate services.
Click on Search Certificates
Provide the detail of a common name or order number and click on the Search button.
You will be displayed Certificate search results.
Click on appropriate certificate and click on Reissue button.

StartSSL: if you wish to replace class1 certificate at StartSSL, you need to pay money for it, otherwise you have to wait for the certificate expiry. Get more details on this informative blog.

Use of SHA-256 Intermediate Certificate:

Intermediate certificate needs to be updated with an SSL certificate. We have given below some reference as per different CAs.

Dreamhost: If you wish to update intermediate certificate, then follow the guideline for upgrading your Intermediate Certificate here.
RapidSSL: To update your intermediate certificate to SHA-256, you need to obey the instruction given here along with your current SSL certificate.
StartSSL: Whether you request for class-1, class-2, class-3 or class-4 type of SSL, you can download intermediate certificate.
Comodo: To update your intermediate certificate, you can follow the given instruction.
VeriSign/Symantec: Their SHA-2 intermediates are listed under RSA SHA-2, at "SHA-2 Intermediate CAs under SHA-2 Root". For knowledge base guidance, click here.
GeoTrust: Their SHA-2 intermediates are listed under RSA SHA-2, labeled under "SHA-2 Intermediate CAs under SHA-2 Root". For knowledge base guidance, click here.
DigiCert: DigiCert deals with robust SSL certificates and to download the intermediate certificate, the detailed information is given here

Check Your Website Now!