December 18, 2014

Certificates for secure communication to require upgrade

Anyone who has ordered a certificate from the Vanderbilt IT Software Store or through Enterprise Public Key Infrastructure (PKI) for use with an application or service will need to upgrade to ensure future communications remain secure, as certificates using Secure Hashing Algorithm 1 (SHA1) are no longer recognized as being protected.

Certificates using SHA1 to secure applications will no longer be issued after Jan 1, 2016. Those who purchased certificates to secure an application or provide a signature will need to update their certificates to use SHA2. The Vanderbilt IT Software Store can reissue GeoTrust SSL SHA1-based certificates (with an expiration date after Dec. 31, 2015) or InCommon SSL SHA1-based certificates as SHA2 certificates for free. The certificate’s original expiration date will remain the same.

SHA1 is a security mechanism used to provide verification to the recipient that the data sent has not been altered in any way in transit. Some weaknesses have been discovered in SHA1 whereby an attacker may alter the data sent without the recipient knowing about it.

Please contact the vendor of your application to verify that they support SHA2 certificates. Inquire when they will support SHA2 certificates and if an update or upgrade is required. Additionally, it is always best to test any major change like this in a test environment before deploying to production using similar software and versions. In-house developed applications will need to be tested. A list of SHA2 compatible software can be found at https://www.digicert.com/sha-2-compatibility.htm.

SHA1 certificates will not be issued after Jan. 1, 2016, and SHA1 will be completely deprecated by Jan. 1, 2017. Stay in regular contact with the vendor or developer of your application to stay informed of any updates to support SHA2. Plan any updates or upgrades well in advanced of Jan. 1, 2016, because you will not be able to purchase a SHA1 certificate after that date.

For additional information, please email vuit.identity.operations@vanderbilt.edu, and a member of the identity operations team will assist you.