SHA-1 has been in use among commercial certification authorities (CAs) since the late 1990s, and today accounts for the overwhelming majority of digital certificates in use.
As of June 2014, SHA-1 SSL certificates accounted for over 98 percent of certificates issued worldwide. It’s also likely that many organizations have not yet taken the steps to migrate from SHA-1-based SSL certificates to those using SHA-2.
The migration of certificates is not trivial and has the potential to cause major problems, particularly if the process is not carefully planned and all affected parties are not considered.
This is not simply a patch that can be released as a global update. This process requires strategic coordination between responsible IT and security management teams. Review the three critical mistakes to avoid to ensure a smooth migration to the SHA-2 standard.
Mistake No. 1 – Not Having a Process Owner
Make sure to put in place a process owner. This involves establishing ownership for the migration that will implement a process that ensures nothing is overlooked; all technological implications are considered; technology is implemented properly; and people know what to do in the event issues arise.
For an in-depth breakdown of how to develop a successful transition to SHA-2, download, “A Migration Guide to SHA-2 SSL Certificates: Avoiding pitfalls, meeting critical deadlines and eliminating service disruptions during SHA-1 certificate deprecation.”
Mistake No. 2 – Not Setting Priorities
Some organizations will have hundreds and thousands of SHA-1 certificates in use that are distributed across the enterprise and beyond (e.g., service providers like Amazon Web Services, Rackspace, etc.).
Based on the magnitude and volume of this migration, it is likely an overwhelming task and it will be difficult to complete without setting priorities. Consider introducing a process that will allow for a systematic migration. Priority is placed on the most mission-critical applications and helps prevent the use of incompatible certificates that could impact operations.
Mistake No. 3 – Not Communicating Properly
People are always the weakest link in the security chain, so ensure everyone in the organization who manages or deploys applications, platforms or IT infrastructure is aware of the migration plan.
This also includes help desks, customer service and support, and business application owners. Organizations should consider this a time-sensitive initiative and take steps to inform everyone who has a role in the certificate-updating process as well as those in support roles who need to be prepared in the event that updates don’t occur in a timely manner or there are errors in the process.