Transition to InCommon SSL Certificates with SHA-2 FAQs

You can view details by browsing to your website and clicking the icon in your browser to view the SSL certificate. On the details screen for the certificate look for the "signature hash algorithm" and the "valid to" date. You can also use server tools like the openssl command.

Yes. Unfortunately, that is the only way to get a SHA-2 certificate. If you still have the CSR you used to create your SHA-1 certificate, it's possible to use it again to get a SHA-2 certificate. Otherwise, you'll need to create a new CSR.

Submit a certificate signing request (CSR) containing the exact same information as the original to ssl@ucsb.edu.

Yes. SHA-2 SSL certificates depend on a new set of CAs, each with their own SHA-2 certificates. In the past there was only one intermediate certificate, but for SHA-2 there are two. You will need to have both of these intermediate certificates installed on your web server in order for browsers to follow the chain to a trusted root certificate.

One of InCommon's two new intermediate certificates was signed with SHA-512. (SHA-2 is a family of algorithms that includes SHA-256, SHA-384, and SHA-512.) The SHA-512 intermediate has been found to have some interoperability issues so, as of today, that intermediate CA is using a new certificate signed with SHA-384. The original SHA-512 certificate is still valid for any InCommon SSL certificates issued from 10/1/2014 through 10/5/2014 that include the SHA-512 certificate in their chain of trust.

That depends on the browser, the expiration date for the certificate, and the current date. Initially the user may see warnings or changes in the security icons used in the address bar. By 1/1/2017 all major browsers will reject certificates signed with SHA-1.

If your server encrypts connections with SSL, you should upgrade its certificates to SHA-2. The most common and visible impact will be for HTTPS connections, but IMAPS or LDAPS or other SSL-protected connections also need to be upgraded before end-users' operating systems end support for SHA-1 certificates.

If you are running an Windows IIS server, then there are apparently some undocumented steps you must take to get the certs working with Firefox. Chrome and I.E. don't seem to have the problem.
Here they are:

  1. Open a blank MMC and add "Certificates" in the Local Computer context.
  2. Open the "Trusted Root Certification Authorities / Certificates" folder.
  3. Find the certificate "USER Trust RSA Certification Authority" (expires 1/18/2038) and delete it.
  4. Open the "Intermediate Certification Authorities / Certificates" folder.
  5. Verify the presence of "InCommon RSA Server CA" (expires 10/5/2024) and "USER Trust RSA Certification Authority" (expires 5/30/2020).
  6. Run gpedit.msc
  7. Drill down to Computer Config | Admin Templates | System |Internet Communication Management | Internet Communication Settings
  8. Locate "Turn off Automatic Root Certificates Update" and change the setting to "Enabled".
  9. In IIS Manager, delete the HTTPS binding from your server instance and re-create it. Bind your SHA256 certificate.
  10. Restart the World Wide Web Publishing Service.