Print

Google Chrome will end support of certificates using SHA-1 hash algorithm

20.02.2015

The level of security of the currently still widely used SHA-1 hash algorithm has weakened in recent years. 
 
Therefore, starting from the end of 2014 Google Chrome started displaying warnings on many websites that use SSL certificates signed with SHA-1 hash algorithm. The Google Chrome browser checks the validity period of the SSL certificate and whether the SSL certificate or the issuing intermediate certificate use the SHA-1 hash algorithm. The new warning system is in use from version 39 and higher of Google Chrome and the developer has promised to step up the warnings in each future version. The hash algorithm used in root certificates does not affect the warnings because the signatures of root certificates are not checked.
 
Google Chrome will start displaying various warnings about the security of your web server at the times specified in the original article for reasons listed in the aforementioned. 
 
Starting from mid-2014, SK has issued new SSL certificates using the SHA-256 hash algorithm. Currently the intermediate certificate KLASS3-SK 2010, which issues the SSL certificates still uses the SHA-1 hash algorithm. But this intermediate certificate is going to be replaced in the near future in order to adapt to Google Chrome’s requirements. The exact schedule is not yet in place but we will disclose new information as it becomes available.
 
If you wish to replace your existing SSL certificate for a certificate with a shorter validity period in order to prevent Google Chrome from displaying a warning when your website is opened, please contact SK’s customer support. We will temporarily replace the certificate issued to you with a shorter-term certificate and after we have fully complied with Google Chrome’s requirements we will notify you and once again issue you a new certificate with a longer validity period free of charge. If you are ordering a brand new certificate, we recommend that you select up to 1 year as the duration in order to prevent those security warnings from being displayed in Google Chrome on your website.
 
The Google Chrome browser also provides two types of additional information about the SSL certificate.
 
      1. “The identity of this website has been verified by KLASS3-SK 2010 but does not have public audit records.”
This notification relates to Google Certificate Transparency (CT), which is a new control mechanism developed by Google. CT is currently mandatory for all issuers of Extended Validation Certificates (EV) or green SSL certificates. This scrutiny is not yet required for the issuers of regular SSL certificates, thus this message will be displayed about the certificates of many certification authorities. When CT becomes mandatory for all providers of SSL certificates, SK will also join this programme.

      2. “The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it.”
This message addresses the use of the SHA-1 hash algorithm in the end-user certificate or intermediate certificate, which is issued that certificate and which the Google Chrome browser must verify. 
 
It is likely that other web browsers also start displaying similar warnings about SHA-1 in the near future. Microsoft announced already at the end of 2013 that from 01.01.2017 the Windows operating system will no longer support the SHA-1 hash algorithm in certificates.
 
You can check here whether the SSL certificate used in the web server is displayed with a warning from Google Chrome and in which version the content of the warning changes.
 
If you have any questions about the certificates issued by SK or the validity period for which certificates should be ordered, you can obtain additional information from SK customer support by email support[A]sk.ee or by phone +372 610 1880.