SHA-1 Description Reading Time: 3 minutes

In light of recent research which contends that the SHA-1 hashing algorithm could be more vulnerable to attack than was previously thought, both Microsoft and Mozilla have begun discussions to bring forward the date when their browsers will reject SHA-1 based SSL/TLS certificates.

ssl certificate

Although not yet confirmed, Mozilla is considering rejecting SHA-1 certificates after July 1st 2016, while Microsoft may start to reject them after the slightly earlier date of June 2016. If these plans become policy, then Firefox and Internet Explorer/Edge will show error messages whenever they encounter a SHA-1 certificate after the new dates. The previous deadline was January 1st 2017 as explained in our advisories here and here.

We anticipate Google may announce a similar timeline for their Chrome Browser soon. Because of this, we strongly recommend customers replace any SHA-1 SSL/TLS certificates on their websites, free of charge, with a SHA-2 version no later than May 31st 2016.

The following table summarizes the proposed new dates when the major browsers will cease to trust SHA-1 signed SSL/TLS certificates:

SSL/TLS Certificates
Current DeadlineProposed Deadline
Microsoft IE/EdgeJan 1st 2017June 1st 2016
Mozilla FirefoxJan 1st 2017July 1st 2016
Google ChromeJan 1st 2017Not announced yet

Mozilla blog:

Microsoft blog:

Readers should consider all dates as subject to change pending further review from Microsoft, Google and Mozilla.

How do I know if I am affected?

Enter your domain in our certificate checker at . The ‘signature’ row will tell you if you have a SHA-1 certificate. If so, please get a free SHA-2 replacement from Comodo before May 31st 2016. If your certificate expires before May 31st then you are free to let it expire as normal, but we advise you get a SHA-2 replacement at the earliest opportunity anyway to ensure the highest levels of protection for your visitors.

How do I get a SHA-2 certificate?

Comodo offers a free certificate replacement program to all customers. To replace your SHA-1 certificate, log into your Comodo account, locate your certificate order and use the ‘Replace Certificate’ facility. Please make sure to supply a SHA-2 CSR (or select the ‘SHA-2’ option under ‘Hash Algorithm’ on the certificate order form). We will also reach out to Comodo customers and partners with SHA-1 certificates that expire after May 31st 2016 to help them obtain a replacement. More guidance can be found in this support article.

Does anything still need SHA-1?

There is a full list of operating systems, browsers and servers which support SHA-2 on the CA Security Council website here. If you have a particular piece of software that you have concerns over, we suggest contacting the software vendor to see if they have, or are planning to offer, SHA-2 support.
Comodo has a test site that uses a SHA-2 certificate. You can test software and devices against this URL to attempt to determine SHA-2 compatibility:

Comodo will continue to monitor the situation and work with our customers to ensure the SHA-2 upgrade goes as smoothly as possible. If you have questions about the transition, please contact your Comodo account manager or Comodo support directly on

Does this affect Code-Signing certificates?

There have also been minor adjustments to Microsoft’s policy on SHA-1 code signing certificates:

Code Signing Certificates
Jan 1st 2016
– Windows 7 upwards will only trust SHA-2 signed code
– CAs will no longer issue SHA-1 code signing certificates
– CAs MAY issue SHA-1 certificates to developers targeting Windows Vista or Server 2008 only

Please note that although CAs MAY issue SHA-1 code-signing certificates after Jan 1st 2016, code signed (and timestamped) with a SHA-1 signature or using a SHA-1 certificate WILL NOT WORK for standard Authenticode signing for code to run on Windows 7 and upwards.

Microsoft enforcement:

References and further reading