Rajiv Aaron Manglani

Change in SHA-2 SSL/TLS certificates reissue plan

Blog Post created by Rajiv Aaron Manglani Employee on Apr 22, 2015

In order to provide better coordination with our customers, we are changing our plan as communicated in February 2015 (see our blog post) for SHA-2 SSL/TLS certificate rollout. Akamai will no longer proactively reissue existing Akamai-managed SHA-1 certificates as SHA-2. Existing certificates will be upgraded to SHA-2 during their next annual renewal. No actions are needed on your part unless you want to upgrade prior to renewal, or continue to use SHA-1 certificates.

 

  • Our continued recommendation is that customers migrate to SHA-2 certificates as soon as possible.
  • SHA-2 is still the default for all new certificate orders, and for all certificate renewals placed through Akamai.
  • At any time, you can request to have existing SHA-1 certificates upgraded to SHA-2 by working with your account team or Customer Care. The certificates will be reissued as SHA-2 with no change in expiration date.
  • If needed, you can work with your account team to set a deployment time window for the reissued certificate.
  • If you have a continued need for SHA-1 certificates, please notify your account team or Customer Care. Following updated industry standards, SHA-1 certificates will be available only until the end of 2015.

 

Google Chrome treats SHA-1 certificates which expire after Jan 1, 2016 as “secure, but with minor errors.” Users visiting sites with these SHA-1 certificates will see a yellow warning icon in the address bar instead of the green lock icon. The suggested mitigation is to upgrade the site’s SSL/TLS certificate to SHA-2.

Outcomes